Update base network mediation patch with missing feature pinning fixup

apparmor: fix regression in network mediation when using feature pinning When the 4.14-rc6 and earlier kernels are used with an upstream 4.13 or earlier pinned feature set, there is a regression in network mediation where policy is not being correctly enforced, because the compilation is completely dropping the af mediation table as expected by pre 4.14 kernels but the 4.14 kernel is not accounting for this. Resulting in network denials that can not be fixed by policy. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 00:14:44 +01:00 · 2018-02-01 09:39:19 +01:00 · 2018-02-01 09:39:19 +01:00 · 8f6d94bf44
commit 8f6d94bf44
parent 0b93a7f991
2 changed files with 10 additions and 6 deletions
--- a/kernel-patches/v4.15/0001-apparmor-add-base-infastructure-for-socket-mediation.patch
+++ b/kernel-patches/v4.15/0001-apparmor-add-base-infastructure-for-socket-mediation.patch
@ -1,4 +1,4 @@
-From 27d9aac1346ff7feb6a49bfb33510c2d79a41da7 Mon Sep 17 00:00:00 2001
+From ae291c63ebb649f8af0bd491ea44e48b5c55526c Mon Sep 17 00:00:00 2001
 From: John Johansen <john.johansen@canonical.com>
 Date: Tue, 18 Jul 2017 23:18:33 -0700
 Subject: [PATCH 1/2] apparmor: add base infastructure for socket mediation
@ -44,8 +44,8 @@ Acked-by: Seth Arnold <seth.arnold@canonical.com>
 security/apparmor/lib.c            |   5 +-
 security/apparmor/lsm.c            | 387 +++++++++++++++++++++++++++++++++++++
 security/apparmor/net.c            | 184 ++++++++++++++++++
- security/apparmor/policy_unpack.c  |  47 ++++-
+ security/apparmor/policy_unpack.c  |  51 ++++-
- 12 files changed, 834 insertions(+), 12 deletions(-)
+ 12 files changed, 838 insertions(+), 12 deletions(-)
 create mode 100644 security/apparmor/include/net.h
 create mode 100644 security/apparmor/net.c
@ -1040,7 +1040,7 @@ index 000000000000..33d54435f8d6
 +	return aa_label_sk_perm(label, op, request, sock->sk);
 +}
 diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
-index 59a1a25b7d43..68b168e8f499 100644
+index 59a1a25b7d43..769d2c55bdae 100644
 --- a/security/apparmor/policy_unpack.c
 +++ b/security/apparmor/policy_unpack.c
@@ -275,6 +275,19 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
@ -1072,7 +1072,7 @@ index 59a1a25b7d43..68b168e8f499 100644
 	struct rhashtable_params params = { 0 };
 	char *key = NULL;
 	struct aa_data *data;
-@@ -717,6 +730,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
+@@ -717,6 +730,42 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 		goto fail;
 	}
@ -1101,6 +1101,10 @@ index 59a1a25b7d43..68b168e8f499 100644
 +		}
 +		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
 +			goto fail;
 +	} else {
 +		/* support policy pre AF socket mediation */
 +		for (i = 0; i < AF_MAX; i++)
 +			profile->net.allow[i] = 0xffff;
 +	}
 +	if (VERSION_LT(e->version, v7)) {
 +		/* pre v7 policy always allowed these */
--- a/kernel-patches/v4.15/0002-apparmor-af_unix-mediation.patch
+++ b/kernel-patches/v4.15/0002-apparmor-af_unix-mediation.patch
@ -1,4 +1,4 @@
-From 8f0a917911fe19f9911d972fe85c43243f7eaa37 Mon Sep 17 00:00:00 2001
+From a3a1dea7d72da33f004f4c5c2e9de91f3311d336 Mon Sep 17 00:00:00 2001
 From: John Johansen <john.johansen@canonical.com>
 Date: Tue, 18 Jul 2017 23:27:23 -0700
 Subject: [PATCH 2/2] apparmor: af_unix mediation