From 1cf26c3d2c4c2098e39a9905174d7842b531e693 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sat, 7 May 2022 01:58:36 -0700 Subject: [PATCH] apparmor: fix apparmor mediating locking non-fs unix sockets the v8 and earlier policy does not encode the locking permission for no-fs unix sockets. However the kernel is enforcing mediation. Add the AA_MAY_LOCK perm to v8 and earlier computed perm mask which will grant permission for all current abi profiles, but still allow specifying auditing of the operation if needed. Link: http://bugs.launchpad.net/bugs/1780227 Signed-off-by: John Johansen --- security/apparmor/policy_unpack.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 0203e43..2406c5c 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -31,6 +31,7 @@ #define K_ABI_MASK 0x3ff #define FORCE_COMPLAIN_FLAG 0x800 #define VERSION_LT(X, Y) (((X) & K_ABI_MASK) < ((Y) & K_ABI_MASK)) +#define VERSION_LE(X, Y) (((X) & K_ABI_MASK) <= ((Y) & K_ABI_MASK)) #define VERSION_GT(X, Y) (((X) & K_ABI_MASK) > ((Y) & K_ABI_MASK)) #define v5 5 /* base version */ @@ -796,7 +797,8 @@ static u32 map_other(u32 x) } static struct aa_perms compute_perms_entry(struct aa_dfa *dfa, - aa_state_t state) + aa_state_t state, + u32 version) { struct aa_perms perms = { }; @@ -809,13 +811,15 @@ static struct aa_perms compute_perms_entry(struct aa_dfa *dfa, */ perms.allow |= map_other(dfa_other_allow(dfa, state)); + if (VERSION_LE(version, v8)) + perms.allow |= AA_MAY_LOCK; perms.audit |= map_other(dfa_other_audit(dfa, state)); perms.quiet |= map_other(dfa_other_quiet(dfa, state)); return perms; } -static struct aa_perms *compute_perms(struct aa_dfa *dfa) +static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version) { unsigned int state; unsigned int state_count; @@ -831,7 +835,7 @@ static struct aa_perms *compute_perms(struct aa_dfa *dfa) /* zero init so skip the trap state (state == 0) */ for (state = 1; state < state_count; state++) - table[state] = compute_perms_entry(dfa, state); + table[state] = compute_perms_entry(dfa, state, version); return table; } @@ -1055,7 +1059,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) } if (!unpack_nameX(e, AA_STRUCTEND, NULL)) goto fail; - profile->policy.perms = compute_perms(profile->policy.dfa); + profile->policy.perms = compute_perms(profile->policy.dfa, + e->version); if (!profile->policy.perms) { info = "failed to remap policydb permission table"; goto fail; -- 2.7.4