NACK: [PATCH][SRU][xenial] UBUNTU: SAUCE: apparmor: flock mediation is not being, enforced on cache check
Tyler Hicks
tyhicks at canonical.com
Mon Aug 26 16:39:47 UTC 2019
Unfortunately, this change is breaking the network-manager snap and,
therefore, would cause networking issues for devices in the field. It
needs to be reverted ASAP and the 4.4 kernels in -proposed need to be
respun with the revert.
John is going to prioritize SRU verification of the other AppArmor bugs
that are pending SRU verification.
More details about the regression are available here:
https://bugs.launchpad.net/apparmor/+bug/1658219/comments/20
Tyler
On 2019-08-13 00:07:06, Khaled Elmously wrote:
> On 2019-08-05 16:26:38 , John Johansen wrote:
> > When an open file with cached permissions is checked for the flock
> > permission. The cache check fails and falls through to no error instead
> > of auditing, and returning an error.
> >
> > For the fall through to do a permission check, so it will audit the
> > failed flock permission check.
> >
> > BugLink: http://bugs.launchpad.net/bugs/1838090
> > BugLink: http://bugs.launchpad.net/bugs/1658219
> > Signed-off-by: John Johansen <john.johansen at canonical.com>
> > ---
> > security/apparmor/file.c | 13 +++++++++----
> > 1 file changed, 9 insertions(+), 4 deletions(-)
> >
> > diff --git a/security/apparmor/file.c b/security/apparmor/file.c
> > index 69eed1c3e0d0..646d3effd0f9 100644
> > --- a/security/apparmor/file.c
> > +++ b/security/apparmor/file.c
> > @@ -536,18 +536,23 @@ static int __file_path_perm(const char *op, struct aa_label *label,
> > error = fn_for_each_not_in_set(flabel, label, profile,
> > profile_path_perm(op, profile, &file->f_path, buffer,
> > request, &cond, flags, &perms));
> > - if (denied) {
> > + if (denied && !error) {
> > /* check every profile in file label that was not tested
> > * in the initial check above.
> > */
> > /* TODO: cache full perms so this only happens because of
> > * conditionals */
> > /* TODO: don't audit here */
> > - last_error(error,
> > - fn_for_each_not_in_set(label, flabel, profile,
> > + if (label == flabel)
> > + error = fn_for_each(label, profile,
> > + profile_path_perm(op, profile, &file->f_path,
> > + buffer, request, &cond, flags,
> > + &perms));
> > + else
> > + error = fn_for_each_not_in_set(label, flabel, profile,
> > profile_path_perm(op, profile, &file->f_path,
> > buffer, request, &cond, flags,
> > - &perms)));
> > + &perms));
> > }
> > if (!error)
> > update_file_ctx(file_ctx(file), label, request);
> > --
> > 2.17.1
> >
> >
> > --
> > kernel-team mailing list
> > kernel-team at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list