apparmor/kernel-patches/v4.11/0002-apparmor-Fix-quieting-of-audit-messages-for-network-.patch

From b866a43c2897f5469c9d787426144074a3713f6a Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Fri, 29 Jun 2012 17:34:00 -0700
Subject: [PATCH 2/3] apparmor: Fix quieting of audit messages for network
 mediation

If a profile specified a quieting of network denials for a given rule by
either the quiet or deny rule qualifiers, the resultant quiet mask for
denied requests was applied incorrectly, resulting in two potential bugs.
1. The misapplied quiet mask would prevent denials from being correctly
   tested against the kill mask/mode. Thus network access requests that
   should have resulted in the application being killed did not.

2. The actual quieting of the denied network request was not being applied.
   This would result in network rejections always being logged even when
   they had been specifically marked as quieted.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/net.c b/security/apparmor/net.c
index b9c8cd0e882e..5ba19ad1d65c 100644
--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
@@ -74,7 +74,7 @@ static int audit_net(struct aa_profile *profile, const char *op, u16 family,
 	} else {
 		u16 quiet_mask = profile->net.quiet[sa.u.net->family];
 		u16 kill_mask = 0;
-		u16 denied = (1 << aad(&sa)->net.type) & ~quiet_mask;
+		u16 denied = (1 << aad(&sa)->net.type);
 
 		if (denied & kill_mask)
 			audit_type = AUDIT_APPARMOR_KILL;
-- 
2.11.0
Add v4.8 and v4.11 kernel patches Signed-off-by: John Johansen <john.johansen@canonical.com> 2017-06-24 14:09:56 -07:00			`From b866a43c2897f5469c9d787426144074a3713f6a Mon Sep 17 00:00:00 2001`
			`From: John Johansen <john.johansen@canonical.com>`
			`Date: Fri, 29 Jun 2012 17:34:00 -0700`
			`Subject: [PATCH 2/3] apparmor: Fix quieting of audit messages for network`
			`mediation`

			`If a profile specified a quieting of network denials for a given rule by`
			`either the quiet or deny rule qualifiers, the resultant quiet mask for`
			`denied requests was applied incorrectly, resulting in two potential bugs.`
			`1. The misapplied quiet mask would prevent denials from being correctly`
			`tested against the kill mask/mode. Thus network access requests that`
			`should have resulted in the application being killed did not.`

			`2. The actual quieting of the denied network request was not being applied.`
			`This would result in network rejections always being logged even when`
			`they had been specifically marked as quieted.`

			`Signed-off-by: John Johansen <john.johansen@canonical.com>`
			`---`
			`security/apparmor/net.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/security/apparmor/net.c b/security/apparmor/net.c`
			`index b9c8cd0e882e..5ba19ad1d65c 100644`
			`--- a/security/apparmor/net.c`
			`+++ b/security/apparmor/net.c`
			`@@ -74,7 +74,7 @@ static int audit_net(struct aa_profile profile, const char op, u16 family,`
			`} else {`
			`u16 quiet_mask = profile->net.quiet[sa.u.net->family];`
			`u16 kill_mask = 0;`
			`- u16 denied = (1 << aad(&sa)->net.type) & ~quiet_mask;`
			`+ u16 denied = (1 << aad(&sa)->net.type);`

			`if (denied & kill_mask)`
			`audit_type = AUDIT_APPARMOR_KILL;`
			`--`
			`2.11.0`