Update base network mediation patch with missing feature pinning fixup

apparmor: fix regression in network mediation when using feature pinning When the 4.14-rc6 and earlier kernels are used with an upstream 4.13 or earlier pinned feature set, there is a regression in network mediation where policy is not being correctly enforced, because the compilation is completely dropping the af mediation table as expected by pre 4.14 kernels but the 4.14 kernel is not accounting for this. Resulting in network denials that can not be fixed by policy. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 00:14:44 +01:00 · 2018-02-01 09:43:37 +01:00 · 2018-02-01 09:43:37 +01:00 · 547708bc99
commit 547708bc99
parent 8f6d94bf44
2 changed files with 10 additions and 6 deletions
--- a/kernel-patches/v4.14/0001-apparmor-add-base-infastructure-for-socket-mediation.patch
+++ b/kernel-patches/v4.14/0001-apparmor-add-base-infastructure-for-socket-mediation.patch
@ -1,4 +1,4 @@
-From 3de9004cf346b3f79065f51b9ecbd03bae92cb42 Mon Sep 17 00:00:00 2001
+From f34488a615da4b0dd68f697587f1cf13e4535e5d Mon Sep 17 00:00:00 2001
 From: John Johansen <john.johansen@canonical.com>
 Date: Tue, 18 Jul 2017 23:18:33 -0700
 Subject: [PATCH 1/2] apparmor: add base infastructure for socket mediation
@ -44,8 +44,8 @@ Acked-by: Seth Arnold <seth.arnold@canonical.com>
 security/apparmor/lib.c            |   5 +-
 security/apparmor/lsm.c            | 387 +++++++++++++++++++++++++++++++++++++
 security/apparmor/net.c            | 184 ++++++++++++++++++
- security/apparmor/policy_unpack.c  |  47 ++++-
+ security/apparmor/policy_unpack.c  |  51 ++++-
- 12 files changed, 840 insertions(+), 16 deletions(-)
+ 12 files changed, 844 insertions(+), 16 deletions(-)
 create mode 100644 security/apparmor/include/net.h
 create mode 100644 security/apparmor/net.c
@ -1046,7 +1046,7 @@ index 000000000000..33d54435f8d6
 +	return aa_label_sk_perm(label, op, request, sock->sk);
 +}
 diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
-index 4ede87c30f8b..5a2aec358322 100644
+index 4ede87c30f8b..e348f8dec45d 100644
 --- a/security/apparmor/policy_unpack.c
 +++ b/security/apparmor/policy_unpack.c
@@ -275,6 +275,19 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
@ -1078,7 +1078,7 @@ index 4ede87c30f8b..5a2aec358322 100644
 	struct rhashtable_params params = { 0 };
 	char *key = NULL;
 	struct aa_data *data;
-@@ -717,6 +730,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
+@@ -717,6 +730,42 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 		goto fail;
 	}
@ -1107,6 +1107,10 @@ index 4ede87c30f8b..5a2aec358322 100644
 +		}
 +		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
 +			goto fail;
 +	} else {
 +		/* support policy pre AF socket mediation */
 +		for (i = 0; i < AF_MAX; i++)
 +			profile->net.allow[i] = 0xffff;
 +	}
 +	if (VERSION_LT(e->version, v7)) {
 +		/* pre v7 policy always allowed these */
--- a/kernel-patches/v4.14/0002-apparmor-af_unix-mediation.patch
+++ b/kernel-patches/v4.14/0002-apparmor-af_unix-mediation.patch
@ -1,4 +1,4 @@
-From 9ef395833a0783ac47bb72a6283ebe3e83735128 Mon Sep 17 00:00:00 2001
+From 2e7f6d0dc0f1d3642950f529b451af73fa1baf9c Mon Sep 17 00:00:00 2001
 From: John Johansen <john.johansen@canonical.com>
 Date: Tue, 18 Jul 2017 23:27:23 -0700
 Subject: [PATCH 2/2] apparmor: af_unix mediation