[RESEND][SRU][Artful][v2][PATCH 0/2] Fixed for LP:1734327
Khaled Elmously
khalid.elmously at canonical.com
Fri Feb 2 04:33:13 UTC 2018
On 2018-01-22 19:30:06 , Tetsuo Handa wrote:
> Joseph Salisbury wrote:
> > BugLink: http://bugs.launchpad.net/bugs/1734327
> >
> > == SRU Justification ==
> > The following commit introduced a regression identified in bug 1734327:
> > ac8f82a0b6d9 ("UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of the remaining blobs")
> >
> > The regression causes a kernel panic to occur after multiple TCP connection
> > creations/closures to the localhost. The bug was found using STAF RPC calls,
> > but is easily reproducible with SSH.
> >
> > A revert of commit ac8f82a0b6d9 is needed to resolve this bug. However, commit 4ae2508f0bed
> > also needs to be reverted because it depend on commit ac8f82a0b6d9.
> >
> > == Fix ==
> > Revert 4ae2508f0bed ("UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor network hooks")
> > Revert ac8f82a0b6d9 ("UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of the remaining blobs")
> >
> > == Test Case ==
> > A test kernel was built with these two commits reverted and tested by the original bug reporter.
> > The bug reporter states the test kernel resolved the bug.
>
> Yes, but a fix of the bug is available at
> http://kernsec.org/pipermail/linux-security-module-archive/2017-December/004638.html .
> I'm fine with reverting the patches or fixing the bug. But please also apply
>
> ----------
> diff -ur linux-4.13.0-17.20.orig/security/apparmor/lsm.c linux-4.13.0-17.20/security/apparmor/lsm.c
> --- linux-4.13.0-17.20.orig/security/apparmor/lsm.c
> +++ linux-4.13.0-17.20/security/apparmor/lsm.c
> @@ -1562,6 +1562,8 @@
> security_module_enable("apparmor",
> IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED)))
> security_add_blobs(&apparmor_blob_sizes);
> + else
> + apparmor_enabled = 0;
> finish = 1;
> return 0;
> }
> ----------
>
> because, without this fix, using security= parameter other than security=apparmor
> causes kernel panic unless apparmor=0 is explicitly specified.
>
> >
> > Joseph Salisbury (2):
> > Revert "UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor
> > network hooks"
> > Revert "UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of
> > the remaining blobs"
> >
> > include/linux/lsm_hooks.h | 8 -
> > security/apparmor/include/net.h | 12 +-
> > security/apparmor/lsm.c | 15 +-
> > security/security.c | 259 +---------------------------
> > security/selinux/hooks.c | 333 ++++++++++++++++++++++++------------
> > security/selinux/include/objsec.h | 65 +-------
> > security/selinux/netlabel.c | 15 +-
> > security/selinux/selinuxfs.c | 4 +-
> > security/selinux/ss/services.c | 3 +-
> > security/smack/smack.h | 61 +------
> > security/smack/smack_lsm.c | 343 +++++++++++++++++++++++++++-----------
> > security/smack/smack_netfilter.c | 8 +-
> > 12 files changed, 510 insertions(+), 616 deletions(-)
> >
Joseph, could you please confirm if a third patch is actually needed in this patchset to avoid the panic mentioned by Tetsuo? If so, please re-submit the patchset with an additional "UBUNTU SAUCE" to fix it. Thanks
More information about the kernel-team
mailing list