APPLIED: [SRU][Artful][v3][PATCH 0/2] Fixes for LP:1734327
Joseph Salisbury
joseph.salisbury at canonical.com
Tue Apr 3 12:33:12 UTC 2018
On 04/03/2018 06:08 AM, Tetsuo Handa wrote:
> Kleber Souza wrote:
>> On 03/12/18 20:07, Joseph Salisbury wrote:
>>> BugLink: http://bugs.launchpad.net/bugs/1734327
>>>
>>> == SRU Justification ==
>>> The following commit introduced a regression identified in bug 1734327:
>>> ac8f82a0b6d9 ("UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of the remaining blobs")
>>>
>>> The regression causes a kernel panic to occur after multiple TCP connection
>>> creations/closures to the localhost. The bug was found using STAF RPC calls,
>>> but is easily reproducible with SSH.
>>>
>>> A revert of commit ac8f82a0b6d9 is needed to resolve this bug. However, commit 4ae2508f0bed
>>> also needs to be reverted because it depend on commit ac8f82a0b6d9.
>>>
>>> This has already been reverted in Bionic.
>>>
>>> == Fix ==
>>> Revert 4ae2508f0bed ("UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor network hooks")
>>> Revert ac8f82a0b6d9 ("UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of the remaining blobs")
>>>
>>> == Test Case ==
>>> A test kernel was built with these two commits reverted and tested by the original bug reporter.
>>> The bug reporter states the test kernel resolved the bug.
>>>
>>> Joseph Salisbury (2):
>>> Revert "UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor
>>> network hooks"
>>> Revert "UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of
>>> the remaining blobs"
>>>
>>> include/linux/lsm_hooks.h | 8 -
>>> security/apparmor/include/net.h | 12 +-
>>> security/apparmor/lsm.c | 15 +-
>>> security/security.c | 259 +---------------------------
>>> security/selinux/hooks.c | 333 ++++++++++++++++++++++++------------
>>> security/selinux/include/objsec.h | 65 +-------
>>> security/selinux/netlabel.c | 15 +-
>>> security/selinux/selinuxfs.c | 4 +-
>>> security/selinux/ss/services.c | 3 +-
>>> security/smack/smack.h | 61 +------
>>> security/smack/smack_lsm.c | 343 +++++++++++++++++++++++++++-----------
>>> security/smack/smack_netfilter.c | 8 +-
>>> 12 files changed, 510 insertions(+), 616 deletions(-)
>>>
>> Applied to artful/master-next branch.
>>
> OK. Then, please also apply
>
> ----------
> diff -ur linux-4.13.0-17.20.orig/security/apparmor/lsm.c linux-4.13.0-17.20/security/apparmor/lsm.c
> --- linux-4.13.0-17.20.orig/security/apparmor/lsm.c
> +++ linux-4.13.0-17.20/security/apparmor/lsm.c
> @@ -1562,6 +1562,8 @@
> security_module_enable("apparmor",
> IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED)))
> security_add_blobs(&apparmor_blob_sizes);
> + else
> + apparmor_enabled = 0;
> finish = 1;
> return 0;
> }
> ----------
>
> because, without this fix, using security= parameter other than security=apparmor
> causes kernel panic unless apparmor=0 is explicitly specified.
We are performing a revert, so putting things back to before those
commits were applied. Due to that, I would suggest adding this
additional change as a new patch. Thoughts?
>> Thanks,
>> Kleber
More information about the kernel-team
mailing list