APPLIED: [SRU][Artful][v3][PATCH 0/2] Fixes for LP:1734327

Joseph Salisbury joseph.salisbury at canonical.com
Tue Apr 3 12:33:12 UTC 2018 

On 04/03/2018 06:08 AM, Tetsuo Handa wrote:
> Kleber Souza wrote:
>> On 03/12/18 20:07, Joseph Salisbury wrote:
>>> BugLink: http://bugs.launchpad.net/bugs/1734327
>>>
>>> == SRU Justification ==
>>> The following commit introduced a regression identified in bug 1734327:
>>> ac8f82a0b6d9 ("UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of the remaining blobs")
>>>
>>> The regression causes a kernel panic to occur after multiple TCP connection 
>>> creations/closures to the localhost.  The bug was found using STAF RPC calls, 
>>> but is easily reproducible with SSH.    
>>>
>>> A revert of commit ac8f82a0b6d9 is needed to resolve this bug.  However, commit 4ae2508f0bed
>>> also needs to be reverted because it depend on commit ac8f82a0b6d9.
>>>
>>> This has already been reverted in Bionic.
>>>
>>> == Fix ==
>>> Revert 4ae2508f0bed ("UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor network hooks")
>>> Revert ac8f82a0b6d9 ("UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of the remaining blobs")
>>>
>>> == Test Case ==
>>> A test kernel was built with these two commits reverted and tested by the original bug reporter.
>>> The bug reporter states the test kernel resolved the bug.
>>>
>>> Joseph Salisbury (2):
>>>   Revert "UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor
>>>     network hooks"
>>>   Revert "UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of
>>>     the remaining blobs"
>>>
>>>  include/linux/lsm_hooks.h         |   8 -
>>>  security/apparmor/include/net.h   |  12 +-
>>>  security/apparmor/lsm.c           |  15 +-
>>>  security/security.c               | 259 +---------------------------
>>>  security/selinux/hooks.c          | 333 ++++++++++++++++++++++++------------
>>>  security/selinux/include/objsec.h |  65 +-------
>>>  security/selinux/netlabel.c       |  15 +-
>>>  security/selinux/selinuxfs.c      |   4 +-
>>>  security/selinux/ss/services.c    |   3 +-
>>>  security/smack/smack.h            |  61 +------
>>>  security/smack/smack_lsm.c        | 343 +++++++++++++++++++++++++++-----------
>>>  security/smack/smack_netfilter.c  |   8 +-
>>>  12 files changed, 510 insertions(+), 616 deletions(-)
>>>
>> Applied to artful/master-next branch.
>>
> OK. Then, please also apply
>
> ----------
> diff -ur linux-4.13.0-17.20.orig/security/apparmor/lsm.c linux-4.13.0-17.20/security/apparmor/lsm.c
> --- linux-4.13.0-17.20.orig/security/apparmor/lsm.c
> +++ linux-4.13.0-17.20/security/apparmor/lsm.c
> @@ -1562,6 +1562,8 @@
>  		    security_module_enable("apparmor",
>  				IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED)))
>  			security_add_blobs(&apparmor_blob_sizes);
> +		else
> +			apparmor_enabled = 0;
>  		finish = 1;
>  		return 0;
>  	}
> ----------
>
> because, without this fix, using security= parameter other than security=apparmor
> causes kernel panic unless apparmor=0 is explicitly specified.

We are performing a revert, so putting things back to before those
commits were applied.  Due to that, I would suggest adding this
additional change as a new patch. Thoughts?

>> Thanks,
>> Kleber

More information about the kernel-team mailing list