[SRU][N][PATCH 0/2] Backport some AppArmor complain-mode profile bugfixes from Oracular to Noble

Tue Nov 5 16:36:35 UTC 2024

Hi Stefan,

The first time I sent the patches in, they did not show up on the
kernel-team mailing list archives. I was advised in-person at the
latest Engineering Sprint that my email probably ended up in a waiting
list (because I was not subscribed to the kernel-team mailing list the
first time I sent the patches) and that I should resend them after
subscribing to the list. It appears though that both emails made it
through, so this should be treated as a single submission.

Thanks,

Ryan

On Tue, Nov 5, 2024 at 8:28 AM Stefan Bader <stefan.bader at canonical.com> wrote:
>
> On 01.11.24 09:58, Ryan Lee wrote:
> > BugLink: https://bugs.launchpad.net/bugs/2086210
> >
> > SRU Justification:
> >
> > [Impact]
> >
> > Backporting two AppArmor bugfixes (2de989ae726b "apparmor: allocate xmatch for nullpdf inside aa_alloc_null" and 62bd5d5f2149 "apparmor: properly handle cx/px lookup failure for complain") from the Ubuntu Oracular kernel will fix incorrect behavior that occurs with the usage of some complain mode profiles (a kernel oops and an actual denial occurring in complain mode, respectively).
> >
> > [Fix]
> >
> > Apply the two patches 2de989ae726b and 62bd5d5f2149 from the Ubuntu Oracular kernel, previously applied to the Oracular kernel via LP #2028253 as #94/99 and #95/99 in the series.
> >
> > [Test case]
> >
> > Patch 62bd5d5f2149 can be tested by loading the following profile into the kernel:
> >
> > abi <abi/4.0>,
> > include <tunables/global>
> >
> > profile ls_child flags=(complain) {
> >    include <abstractions/base>
> >
> >    /dev/tty rw,
> >    /usr/bin/ls cxr,
> > }
> >
> > and exercising the profile's nonexistent transition with `aa-exec -p ls_child sh -c ls`. With the patch applied, the ls command will succeed instead of failing.
> >
> > Patch 2de989ae726b is much harder to test, unfortunately. The reproducer I have is (deterministically) finicky but goes through a Docker indirection layer, although at least one other person has encountered the same kernel oops without using Docker. I have attached the files needed to construct a reproducer to the LP bug report.
> >
> > With the patch applied, the run_reproducer.sh script will succeed instead of generating a kernel oops.
> >
> > [Regression potential]
> >
> > This patch set fixes bugs in the handling of complain mode profiles, and are both very small. A bug caused by patch 2de989ae726b would cause, at most, a memory leak by preventing deallocation of a reference-counted profile object. A bug introduced by patch 62bd5d5f2149 would show up in the handling of complain mode profiles and would not affect enforcement of enforce mode profiles.
> >
> > [Other Info]
> >
> > This patchset backports some patches from https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2028253 which were applied to Oracular but not to Noble.
> >
> > Ryan Lee (2):
> >    UBUNTU: SAUCE: apparmor4.0.0 [94/99]: apparmor: allocate xmatch for
> >      nullpdf inside aa_alloc_null
> >    UBUNTU: SAUCE: apparmor4.0.0 [95/99]: apparmor: properly handle cx/px
> >      lookup failure for complain
> >
> >   security/apparmor/domain.c | 9 +++++++--
> >   security/apparmor/policy.c | 1 +
> >   2 files changed, 8 insertions(+), 2 deletions(-)
> >
>
> There seem to be 2 submissions with the exact same title and patches.
> Could you clarify? Thanks
> --
> - Stefan
>