[SRU][N][Patch 1/1] UBUNTU: SAUCE: fix: apparmor4.0.0 [26/90]: LSM stacking v39: Audit: Add record for multiple object contexts

John Johansen john.johansen at canonical.com
Mon Oct 6 14:11:43 UTC 2025 

BugLink: https://bugs.launchpad.net/bugs/2123815

no-up. This is a patch to the LSM Stacking series that is carried as
part of the AppArmor sauce series and is not currently upstream.

The patch is a backport of a fix made in the LSM development branch in

commit 5ba569134855 Audit: Add record for multiple object contexts

And carried in the Oracular 6.14 kernel as
commit 28b69ac0e2fc ("UBUNTU: SAUCE: apparmor4.0.0 [25/99]: Audit: Add record for multiple object contexts")

this applies the fix for the buggy patches
Noble commit dac9a8cf860b UBUNTU: SAUCE: apparmor4.0.0 [26/90]: LSM stacking v39: Audit: Add record for multiple object contexts

Which incorrectly check the return value of the function
security_secid_to_secctx(). The function security_secid_to_secctx()
returns the length of secctx data of success and error on failure.
Only checking for

   if (error) {

will result in successful conversions being treated as an error
resulting in

  error in audit_log_object_context

being printed to the console for any audit rule causing an audit event
referencing an object context. Further more, if the audit sybsystem is
configured to panic on error, any audit rule causing said audit log
event will cause the kernel to panic.

(backported from commit 5ba569134855 https://github.com/cschaufler/lsm-stacking)
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 kernel/audit.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 75ef27b47560..04fc00361e2b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2315,7 +2315,7 @@ void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob)
 	if (lsm_blob_cnt < 2) {
 		error = security_lsmblob_to_secctx(blob, &context,
 						   LSM_ID_UNDEF);
-		if (error) {
+		if (error < 0) {
 			if (error != -EINVAL)
 				goto error_path;
 			return;
@@ -2334,7 +2334,7 @@ void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob)
 			continue;
 		error = security_lsmblob_to_secctx(blob, &context,
 						   lsm_idlist[i]->id);
-		if (error) {
+		if (error < 0) {
 			audit_log_format(ab, "%sobj_%s=?",
 					 space ? " " : "", lsm_idlist[i]->name);
 			if (error != -EINVAL)
-- 
2.48.1

More information about the kernel-team mailing list