[RESEND][SRU][Artful][v2][PATCH 0/2] Fixed for LP:1734327

Khaled Elmously khalid.elmously at canonical.com
Fri Feb 2 04:33:13 UTC 2018 

On 2018-01-22 19:30:06 , Tetsuo Handa wrote:
> Joseph Salisbury wrote:
> > BugLink: http://bugs.launchpad.net/bugs/1734327
> > 
> > == SRU Justification ==
> > The following commit introduced a regression identified in bug 1734327:
> > ac8f82a0b6d9 ("UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of the remaining blobs")
> > 
> > The regression causes a kernel panic to occur after multiple TCP connection 
> > creations/closures to the localhost.  The bug was found using STAF RPC calls, 
> > but is easily reproducible with SSH.    
> > 
> > A revert of commit ac8f82a0b6d9 is needed to resolve this bug.  However, commit 4ae2508f0bed
> > also needs to be reverted because it depend on commit ac8f82a0b6d9.
> > 
> > == Fix ==
> > Revert 4ae2508f0bed ("UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor network hooks")
> > Revert ac8f82a0b6d9 ("UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of the remaining blobs")
> > 
> > == Test Case ==
> > A test kernel was built with these two commits reverted and tested by the original bug reporter.
> > The bug reporter states the test kernel resolved the bug.
> 
> Yes, but a fix of the bug is available at
> http://kernsec.org/pipermail/linux-security-module-archive/2017-December/004638.html .
> I'm fine with reverting the patches or fixing the bug. But please also apply
> 
> ----------
> diff -ur linux-4.13.0-17.20.orig/security/apparmor/lsm.c linux-4.13.0-17.20/security/apparmor/lsm.c
> --- linux-4.13.0-17.20.orig/security/apparmor/lsm.c
> +++ linux-4.13.0-17.20/security/apparmor/lsm.c
> @@ -1562,6 +1562,8 @@
>  		    security_module_enable("apparmor",
>  				IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED)))
>  			security_add_blobs(&apparmor_blob_sizes);
> +		else
> +			apparmor_enabled = 0;
>  		finish = 1;
>  		return 0;
>  	}
> ----------
> 
> because, without this fix, using security= parameter other than security=apparmor
> causes kernel panic unless apparmor=0 is explicitly specified.
> 
> > 
> > Joseph Salisbury (2):
> >   Revert "UBUNTU: SAUCE: LSM stacking: add stacking support to apparmor
> >     network hooks"
> >   Revert "UBUNTU: SAUCE: LSM stacking: LSM: Infrastructure management of
> >     the remaining blobs"
> > 
> >  include/linux/lsm_hooks.h         |   8 -
> >  security/apparmor/include/net.h   |  12 +-
> >  security/apparmor/lsm.c           |  15 +-
> >  security/security.c               | 259 +---------------------------
> >  security/selinux/hooks.c          | 333 ++++++++++++++++++++++++------------
> >  security/selinux/include/objsec.h |  65 +-------
> >  security/selinux/netlabel.c       |  15 +-
> >  security/selinux/selinuxfs.c      |   4 +-
> >  security/selinux/ss/services.c    |   3 +-
> >  security/smack/smack.h            |  61 +------
> >  security/smack/smack_lsm.c        | 343 +++++++++++++++++++++++++++-----------
> >  security/smack/smack_netfilter.c  |   8 +-
> >  12 files changed, 510 insertions(+), 616 deletions(-)
> > 

Joseph, could you please confirm if a third patch is actually needed in this patchset to avoid the panic mentioned by Tetsuo? If so, please re-submit the patchset with an additional "UBUNTU SAUCE" to fix it. Thanks

More information about the kernel-team mailing list