ACK/Cmnt: [SRU][Xenial][Bionic][PATCH 1/1] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets
Stefan Bader
stefan.bader at canonical.com
Tue Jul 31 06:58:25 UTC 2018
On 30.07.2018 22:55, John Johansen wrote:
> The apparmor policy language current does not allow expressing of the
> locking permission for no-fs unix sockets. However the kernel is
> enforcing mediation.
>
> Add the AA_MAY_LOCK perm to the computed perm mask which will grant
> permission for all current abi profiles, but still allow specifying
> auditing of the operation if needed.
>
> BugLink: http://bugs.launchpad.net/bugs/1780227
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
Please add the SRU justification to the bug report. The change itself looks
small enough but also a bit like voodoo to anybody not familiar... so any help
to reviewers and admins counts. ;)
> security/apparmor/lib.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
> index a7b3f681b80e..eafad30a78d7 100644
> --- a/security/apparmor/lib.c
> +++ b/security/apparmor/lib.c
> @@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
> /* for v5 perm mapping in the policydb, the other set is used
> * to extend the general perm set
> */
> - perms->allow |= map_other(dfa_other_allow(dfa, state));
> + perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
> perms->audit |= map_other(dfa_other_audit(dfa, state));
> perms->quiet |= map_other(dfa_other_quiet(dfa, state));
> // perms->xindex = dfa_user_xindex(dfa, state);
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180731/5f3470c4/attachment.sig>
More information about the kernel-team
mailing list