Comment 29 for bug 1721278

On 10/24/2017 02:32 AM, Paul Menzel wrote:
> I’d really like to try the Linux kernel fix. Can a get it from
> somewhere?
>
commit 8baea25455c08173713fdbceac99309192518ffb
Author: John Johansen <email address hidden>
Date: Mon Oct 23 08:51:24 2017 -0700

    apparmor: fix regression in network mediation when using feature pinning

    When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
    or earlier pinned feature set, there is a regression in network
    mediation where policy is not being correctly enforced, because the
    compilation is completely dropping the af mediation table as expected
    by pre 4.14 kernels but the 4.14 kernel is not accounting for this.

    Resulting in network denials that can not be fixed by policy.

    Fixes: 651e28c5537a ("apparmor: add base infastructure for socket mediation")
    Signed-off-by: John Johansen <email address hidden>

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 5a2aec358322..e348f8dec45d 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -755,6 +755,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
   }
   if (!unpack_nameX(e, AA_ARRAYEND, NULL))
    goto fail;
+ } else {
+ /* support policy pre AF socket mediation */
+ for (i = 0; i < AF_MAX; i++)
+ profile->net.allow[i] = 0xffff;
  }
  if (VERSION_LT(e->version, v7)) {
   /* pre v7 policy always allowed these */