On 10/24/2017 02:32 AM, Paul Menzel wrote:
> I’d really like to try the Linux kernel fix. Can a get it from
> somewhere?
>
commit 8baea25455c08173713fdbceac99309192518ffb
Author: John Johansen <email address hidden>
Date: Mon Oct 23 08:51:24 2017 -0700
apparmor: fix regression in network mediation when using feature pinning
When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
or earlier pinned feature set, there is a regression in network
mediation where policy is not being correctly enforced, because the
compilation is completely dropping the af mediation table as expected
by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
Resulting in network denials that can not be fixed by policy.
Fixes: 651e28c5537a ("apparmor: add base infastructure for socket mediation")
Signed-off-by: John Johansen <email address hidden>
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 5a2aec358322..e348f8dec45d 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -755,6 +755,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
}
if (!unpack_nameX(e, AA_ARRAYEND, NULL))
goto fail;
+ } else {
+ /* support policy pre AF socket mediation */
+ for (i = 0; i < AF_MAX; i++)
+ profile->net.allow[i] = 0xffff;
}
if (VERSION_LT(e->version, v7)) {
/* pre v7 policy always allowed these */
On 10/24/2017 02:32 AM, Paul Menzel wrote: 3713fdbceac9930 9192518ffb
> I’d really like to try the Linux kernel fix. Can a get it from
> somewhere?
>
commit 8baea25455c0817
Author: John Johansen <email address hidden>
Date: Mon Oct 23 08:51:24 2017 -0700
apparmor: fix regression in network mediation when using feature pinning
When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
or earlier pinned feature set, there is a regression in network
mediation where policy is not being correctly enforced, because the
compilation is completely dropping the af mediation table as expected
by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
Resulting in network denials that can not be fixed by policy.
Fixes: 651e28c5537a ("apparmor: add base infastructure for socket mediation")
Signed-off-by: John Johansen <email address hidden>
diff --git a/security/ apparmor/ policy_ unpack. c b/security/ apparmor/ policy_ unpack. c .e348f8dec45d 100644 apparmor/ policy_ unpack. c apparmor/ policy_ unpack. c profile( struct aa_ext *e, char **ns_name) >net.allow[ i] = 0xffff; LT(e->version, v7)) {
index 5a2aec358322.
--- a/security/
+++ b/security/
@@ -755,6 +755,10 @@ static struct aa_profile *unpack_
}
if (!unpack_nameX(e, AA_ARRAYEND, NULL))
goto fail;
+ } else {
+ /* support policy pre AF socket mediation */
+ for (i = 0; i < AF_MAX; i++)
+ profile-
}
if (VERSION_
/* pre v7 policy always allowed these */