On 10/24/17 12:55, John Johansen wrote:
> On 10/24/2017 02:32 AM, Paul Menzel wrote:
>> I’d really like to try the Linux kernel fix. Can a get it from
>> somewhere?
>>
> commit 8baea25455c08173713fdbceac99309192518ffb
> Author: John Johansen <email address hidden>
> Date: Mon Oct 23 08:51:24 2017 -0700
>
> apparmor: fix regression in network mediation when using feature pinning
>
> When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
> or earlier pinned feature set, there is a regression in network
> mediation where policy is not being correctly enforced, because the
> compilation is completely dropping the af mediation table as expected
> by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
>
> Resulting in network denials that can not be fixed by policy.
>
> Fixes: 651e28c5537a ("apparmor: add base infastructure for socket mediation")
> Signed-off-by: John Johansen <email address hidden>
>
> diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
> index 5a2aec358322..e348f8dec45d 100644
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -755,6 +755,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
> }
> if (!unpack_nameX(e, AA_ARRAYEND, NULL))
> goto fail;
> + } else {
> + /* support policy pre AF socket mediation */
> + for (i = 0; i < AF_MAX; i++)
> + profile->net.allow[i] = 0xffff;
> }
> if (VERSION_LT(e->version, v7)) {
> /* pre v7 policy always allowed these */
Thank you. Can I pull it from a tree? Trying [1], I am asked for
credentials.
Dear John,
On 10/24/17 12:55, John Johansen wrote: 3713fdbceac9930 9192518ffb apparmor/ policy_ unpack. c b/security/ apparmor/ policy_ unpack. c .e348f8dec45d 100644 apparmor/ policy_ unpack. c apparmor/ policy_ unpack. c profile( struct aa_ext *e, char **ns_name) >net.allow[ i] = 0xffff; LT(e->version, v7)) {
> On 10/24/2017 02:32 AM, Paul Menzel wrote:
>> I’d really like to try the Linux kernel fix. Can a get it from
>> somewhere?
>>
> commit 8baea25455c0817
> Author: John Johansen <email address hidden>
> Date: Mon Oct 23 08:51:24 2017 -0700
>
> apparmor: fix regression in network mediation when using feature pinning
>
> When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
> or earlier pinned feature set, there is a regression in network
> mediation where policy is not being correctly enforced, because the
> compilation is completely dropping the af mediation table as expected
> by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
>
> Resulting in network denials that can not be fixed by policy.
>
> Fixes: 651e28c5537a ("apparmor: add base infastructure for socket mediation")
> Signed-off-by: John Johansen <email address hidden>
>
> diff --git a/security/
> index 5a2aec358322.
> --- a/security/
> +++ b/security/
> @@ -755,6 +755,10 @@ static struct aa_profile *unpack_
> }
> if (!unpack_nameX(e, AA_ARRAYEND, NULL))
> goto fail;
> + } else {
> + /* support policy pre AF socket mediation */
> + for (i = 0; i < AF_MAX; i++)
> + profile-
> }
> if (VERSION_
> /* pre v7 policy always allowed these */
Thank you. Can I pull it from a tree? Trying [1], I am asked for
credentials.
``` /git.launchpad. net/~ubuntu- kernel/ ubuntu/ +source /git.launchpad. net':
$ git remote add ubuntu
https:/
$ git fetch ubuntu
Username for 'https:/
```
Kind regards,
Paul
[1] /code.launchpad .net/~ubuntu- kernel/ ubuntu/ +source/ linux/+ git/saucy/ +ref/mako
https:/