[PATCH 01/11] UBUNTU: SAUCE: apparmor: fix cross ns perm of unix domain sockets

John Johansen john.johansen at canonical.com
Fri Mar 31 13:25:26 UTC 2017


When using nested namespaces policy within the nested namespace is trying
to cross validate with policy outside of the namespace that is not
visible to it. This results the access being denied and with no way to
add a rule to policy that would allow it.

The check should only be done again policy that is visible.

BugLink: http://bugs.launchpad.net/bugs/1660832
Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
Acked-by: Brad Figg <brad.figg at canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
 security/apparmor/af_unix.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c
index 8178498..757df1a 100644
--- a/security/apparmor/af_unix.c
+++ b/security/apparmor/af_unix.c
@@ -515,7 +515,7 @@ static int profile_peer_perm(struct aa_profile *profile, const char *op, u32 req
 				      addr, len, &aad(sa)->info);
 		if (!peer_label)
 			peer_label = peer_ctx->label;
-		return fn_for_each(peer_label, peerp,
+		return fn_for_each_in_ns(peer_label, peerp,
 				   match_label(profile, peerp, state, request,
 					       sa));
 	}
-- 
2.9.3





More information about the kernel-team mailing list