From 547708bc999943a203b65df983b41b7a4b136f99 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 1 Feb 2018 09:43:37 +0100 Subject: [PATCH] Update base network mediation patch with missing feature pinning fixup apparmor: fix regression in network mediation when using feature pinning When the 4.14-rc6 and earlier kernels are used with an upstream 4.13 or earlier pinned feature set, there is a regression in network mediation where policy is not being correctly enforced, because the compilation is completely dropping the af mediation table as expected by pre 4.14 kernels but the 4.14 kernel is not accounting for this. Resulting in network denials that can not be fixed by policy. Signed-off-by: John Johansen --- ...d-base-infastructure-for-socket-mediation.patch | 14 +++++++++----- .../v4.14/0002-apparmor-af_unix-mediation.patch | 2 +- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/kernel-patches/v4.14/0001-apparmor-add-base-infastructure-for-socket-mediation.patch b/kernel-patches/v4.14/0001-apparmor-add-base-infastructure-for-socket-mediation.patch index ef2b15d54..e11fe8f9f 100644 --- a/kernel-patches/v4.14/0001-apparmor-add-base-infastructure-for-socket-mediation.patch +++ b/kernel-patches/v4.14/0001-apparmor-add-base-infastructure-for-socket-mediation.patch @@ -1,4 +1,4 @@ -From 3de9004cf346b3f79065f51b9ecbd03bae92cb42 Mon Sep 17 00:00:00 2001 +From f34488a615da4b0dd68f697587f1cf13e4535e5d Mon Sep 17 00:00:00 2001 From: John Johansen Date: Tue, 18 Jul 2017 23:18:33 -0700 Subject: [PATCH 1/2] apparmor: add base infastructure for socket mediation @@ -44,8 +44,8 @@ Acked-by: Seth Arnold security/apparmor/lib.c | 5 +- security/apparmor/lsm.c | 387 +++++++++++++++++++++++++++++++++++++ security/apparmor/net.c | 184 ++++++++++++++++++ - security/apparmor/policy_unpack.c | 47 ++++- - 12 files changed, 840 insertions(+), 16 deletions(-) + security/apparmor/policy_unpack.c | 51 ++++- + 12 files changed, 844 insertions(+), 16 deletions(-) create mode 100644 security/apparmor/include/net.h create mode 100644 security/apparmor/net.c @@ -1046,7 +1046,7 @@ index 000000000000..33d54435f8d6 + return aa_label_sk_perm(label, op, request, sock->sk); +} diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c -index 4ede87c30f8b..5a2aec358322 100644 +index 4ede87c30f8b..e348f8dec45d 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -275,6 +275,19 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) @@ -1078,7 +1078,7 @@ index 4ede87c30f8b..5a2aec358322 100644 struct rhashtable_params params = { 0 }; char *key = NULL; struct aa_data *data; -@@ -717,6 +730,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) +@@ -717,6 +730,42 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) goto fail; } @@ -1107,6 +1107,10 @@ index 4ede87c30f8b..5a2aec358322 100644 + } + if (!unpack_nameX(e, AA_ARRAYEND, NULL)) + goto fail; ++ } else { ++ /* support policy pre AF socket mediation */ ++ for (i = 0; i < AF_MAX; i++) ++ profile->net.allow[i] = 0xffff; + } + if (VERSION_LT(e->version, v7)) { + /* pre v7 policy always allowed these */ diff --git a/kernel-patches/v4.14/0002-apparmor-af_unix-mediation.patch b/kernel-patches/v4.14/0002-apparmor-af_unix-mediation.patch index 36dccc33c..18ea9119d 100644 --- a/kernel-patches/v4.14/0002-apparmor-af_unix-mediation.patch +++ b/kernel-patches/v4.14/0002-apparmor-af_unix-mediation.patch @@ -1,4 +1,4 @@ -From 9ef395833a0783ac47bb72a6283ebe3e83735128 Mon Sep 17 00:00:00 2001 +From 2e7f6d0dc0f1d3642950f529b451af73fa1baf9c Mon Sep 17 00:00:00 2001 From: John Johansen Date: Tue, 18 Jul 2017 23:27:23 -0700 Subject: [PATCH 2/2] apparmor: af_unix mediation