Comment 30 for bug 1721278
Revision history for this message
| Paul Menzel (paulmenzel) wrote Re: [Bug 1721278] Re: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later | #30 |
Dear John,
On 10/24/17 12:55, John Johansen wrote:
> On 10/24/2017 02:32 AM, Paul Menzel wrote:
>> I’d really like to try the Linux kernel fix. Can a get it from
>> somewhere?
>>
> commit 8baea25455c0817
> Author: John Johansen <email address hidden>
> Date: Mon Oct 23 08:51:24 2017 -0700
>
> apparmor: fix regression in network mediation when using feature pinning
>
> When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
> or earlier pinned feature set, there is a regression in network
> mediation where policy is not being correctly enforced, because the
> compilation is completely dropping the af mediation table as expected
> by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
>
> Resulting in network denials that can not be fixed by policy.
>
> Fixes: 651e28c5537a ("apparmor: add base infastructure for socket mediation")
> Signed-off-by: John Johansen <email address hidden>
>
> diff --git a/security/
> index 5a2aec358322.
> --- a/security/
> +++ b/security/
> @@ -755,6 +755,10 @@ static struct aa_profile *unpack_
> }
> if (!unpack_nameX(e, AA_ARRAYEND, NULL))
> goto fail;
> + } else {
> + /* support policy pre AF socket mediation */
> + for (i = 0; i < AF_MAX; i++)
> + profile-
> }
> if (VERSION_
> /* pre v7 policy always allowed these */
Thank you. Can I pull it from a tree? Trying [1], I am asked for
credentials.
```
$ git remote add ubuntu
https:/
$ git fetch ubuntu
Username for 'https:/
```
Kind regards,
Paul
[1]
https:/