APPLIED/cmt: [PATCH][SRU][xenial] UBUNTU: SAUCE: apparmor: fix nnp subset check failure, when stacking

Kleber Souza kleber.souza at canonical.com
Tue Aug 13 09:51:36 UTC 2019 

On 8/13/19 6:02 AM, Khaled Elmously wrote:
> Sigh..It's because there's a dependency patch, which I just saw.
> 
> Pleaase ignore my previous comment.

Hi John,

When a submitted patch was not based on the master-next branch
and cannot be applied cleanly because it's based on other
changes, please send all the patches in a single patch set
or state the dependency in the patch submission so we know in
which order they need to be applied.


Thank you,
Kleber

> 
> 
> 
> On 2019-08-13 00:00:11 , Khaled Elmously wrote:
>> Applied to Xenial, but note: This patch didn't apply cleanly to xenial/master-next.
>>
>> The first 2 delta chunks remove code that is expected to contain this line:
>>
>> perms.allow &= ~AA_MAY_ONEXEC
>>
>> but in xenial/master-next that line doesn't exist.
>>
>>
>> In any case, I applied the patch by removing those 2 chunks of code anyway.
>>
>> The third delta chunk had no issues.
>>
>> Khaled
>>
>>
>> On 2019-08-05 16:31:33 , John Johansen wrote:
>>> This is a backport of a fix that landed as part of a larger patch
>>> in 4.17 commit 9fcf78cca1986 ("apparmor: update domain transitions that are subsets of confinement at nnp")
>>>
>>> Domain transitions that add a new profile to the confinement stack
>>> when under NO NEW PRIVS is allowed as it can not expand privileges.
>>>
>>> However such transitions are failing due to how/where the subset
>>> test is being applied. Applying the test per profile in the
>>> profile transition and profile_onexec call backs is incorrect as
>>> it disregards the other profiles in the stack so it can not
>>> correctly determine if the old confinement stack is a subset of
>>> the new confinement stack.
>>>
>>> Move the test to after the new confinement stack is constructed.
>>>
>>> BugLink: http://bugs.launchpad.net/bugs/1839037
>>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>>> ---
>>>  security/apparmor/domain.c | 47 ++++++++++++--------------------------
>>>  1 file changed, 14 insertions(+), 33 deletions(-)
>>>
>>> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
>>> index d9e29b2fdda2..38595ca7e642 100644
>>> --- a/security/apparmor/domain.c
>>> +++ b/security/apparmor/domain.c
>>> @@ -560,22 +560,6 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
>>>  	if (!new)
>>>  		goto audit;
>>>  
>>> -	/* Policy has specified a domain transitions. if no_new_privs and
>>> -	 * confined and not transitioning to the current domain fail.
>>> -	 *
>>> -	 * NOTE: Domain transitions from unconfined and to stritly stacked
>>> -	 * subsets are allowed even when no_new_privs is set because this
>>> -	 * aways results in a further reduction of permissions.
>>> -	 */
>>> -	if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) &&
>>> -	    !profile_unconfined(profile) &&
>>> -	    !aa_label_is_subset(new, &profile->label)) {
>>> -		error = -EPERM;
>>> -		info = "no new privs";
>>> -		nonewprivs = true;
>>> -		perms.allow &= ~MAY_EXEC;
>>> -		goto audit;
>>> -	}
>>>  
>>>  	if (!(perms.xindex & AA_X_UNSAFE)) {
>>>  		if (DEBUG_ON) {
>>> @@ -653,22 +637,6 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
>>>  		goto audit;
>>>  	}
>>>  
>>> -	/* Policy has specified a domain transitions. if no_new_privs and
>>> -	 * confined and not transitioning to the current domain fail.
>>> -	 *
>>> -	 * NOTE: Domain transitions from unconfined and to stritly stacked
>>> -	 * subsets are allowed even when no_new_privs is set because this
>>> -	 * aways results in a further reduction of permissions.
>>> -	 */
>>> -	if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) &&
>>> -	    !profile_unconfined(profile) &&
>>> -	    !aa_label_is_subset(onexec, &profile->label)) {
>>> -		error = -EPERM;
>>> -		info = "no new privs";
>>> -		perms.allow &= ~AA_MAY_ONEXEC;
>>> -		goto audit;
>>> -	}
>>> -
>>>  	if (!(perms.xindex & AA_X_UNSAFE)) {
>>>  		if (DEBUG_ON) {
>>>  			dbg_printk("appaarmor: scrubbing environment "
>>> @@ -788,7 +756,20 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
>>>  		goto done;
>>>  	}
>>>  
>>> -	/* TODO: Add ns level no_new_privs subset test */
>>> +	/* Policy has specified a domain transitions. If no_new_privs and
>>> +	 * confined ensure the transition is to confinement that is subset
>>> +	 * of the confinement when the task entered no new privs.
>>> +	 *
>>> +	 * NOTE: Domain transitions from unconfined and to stacked
>>> +	 * subsets are allowed even when no_new_privs is set because this
>>> +	 * aways results in a further reduction of permissions.
>>> +	 */
>>> +	if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) &&
>>> +	    !unconfined(label) && !aa_label_is_subset(new, label)) {
>>> +		error = -EPERM;
>>> +		info = "no new privs";
>>> +		goto audit;
>>> +	}
>>>  
>>>  	if (bprm->unsafe & LSM_UNSAFE_SHARE) {
>>>  		/* FIXME: currently don't mediate shared state */
>>> -- 
>>> 2.17.1
>>>
>>>
>>> -- 
>>> kernel-team mailing list
>>> kernel-team at lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

More information about the kernel-team mailing list