Hi James,
This is a fix for a policy replacement bug that is fairly serious for
apache mod_apparmor users, as it results in the wrong policy being
applied on an network facing service.
can you please pull and pushup for 4.9
It has been rebased against current 4.9, you can either grab the patch
included below or do a pull from
The following changes since commit 623898671c8eb05639e746e6d84cffa281616438:
Merge branch 'for-linus' of git://git.kernel.dk/linux-block (2016-11-17 13:59:39 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor fix-change_hat
for you to fetch changes up to 4bc60a7f780acb6eb5b71360ab04e29ecd282bda:
apparmor: fix change_hat not finding hat after policy replacement (2016-11-18 07:07:10 -0800)
----------------------------------------------------------------
John Johansen (1):
apparmor: fix change_hat not finding hat after policy replacement
security/apparmor/domain.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
---
>From 4bc60a7f780acb6eb5b71360ab04e29ecd282bda Mon Sep 17 00:00:00 2001
From: John Johansen <[email protected]>
Date: Wed, 31 Aug 2016 21:10:06 -0700
Subject: [PATCH] apparmor: fix change_hat not finding hat after policy
replacement
After a policy replacement, the task cred may be out of date and need
to be updated. However change_hat is using the stale profiles from
the out of date cred resulting in either: a stale profile being applied
or, incorrect failure when searching for a hat profile as it has been
migrated to the new parent profile.
Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat)
Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied)
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287
Cc: [email protected]
Signed-off-by: John Johansen <[email protected]>
---
security/apparmor/domain.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index fc3036b..a4d90aa 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -621,8 +621,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
/* released below */
cred = get_current_cred();
cxt = cred_cxt(cred);
- profile = aa_cred_profile(cred);
- previous_profile = cxt->previous;
+ profile = aa_get_newest_profile(aa_cred_profile(cred));
+ previous_profile = aa_get_newest_profile(cxt->previous);
if (unconfined(profile)) {
info = "unconfined";
@@ -718,6 +718,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
out:
aa_put_profile(hat);
kfree(name);
+ aa_put_profile(profile);
+ aa_put_profile(previous_profile);
put_cred(cred);
return error;
--
2.9.3