Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753039AbcKRQMM (ORCPT ); Fri, 18 Nov 2016 11:12:12 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:49157 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751959AbcKRQMK (ORCPT ); Fri, 18 Nov 2016 11:12:10 -0500 To: James Morris Cc: "open list:SECURITY SUBSYSTEM" , LKLM From: John Johansen Subject: [PATCH] apparmor: fix changehat not finding hat after policy replacement Organization: Canonical Message-ID: <48726882-f583-1627-1af3-edc90ea9b0d9@canonical.com> Date: Fri, 18 Nov 2016 08:12:05 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2821 Lines: 80 Hi James, This is a fix for a policy replacement bug that is fairly serious for apache mod_apparmor users, as it results in the wrong policy being applied on an network facing service. can you please pull and pushup for 4.9 It has been rebased against current 4.9, you can either grab the patch included below or do a pull from The following changes since commit 623898671c8eb05639e746e6d84cffa281616438: Merge branch 'for-linus' of git://git.kernel.dk/linux-block (2016-11-17 13:59:39 -0800) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor fix-change_hat for you to fetch changes up to 4bc60a7f780acb6eb5b71360ab04e29ecd282bda: apparmor: fix change_hat not finding hat after policy replacement (2016-11-18 07:07:10 -0800) ---------------------------------------------------------------- John Johansen (1): apparmor: fix change_hat not finding hat after policy replacement security/apparmor/domain.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- >From 4bc60a7f780acb6eb5b71360ab04e29ecd282bda Mon Sep 17 00:00:00 2001 From: John Johansen Date: Wed, 31 Aug 2016 21:10:06 -0700 Subject: [PATCH] apparmor: fix change_hat not finding hat after policy replacement After a policy replacement, the task cred may be out of date and need to be updated. However change_hat is using the stale profiles from the out of date cred resulting in either: a stale profile being applied or, incorrect failure when searching for a hat profile as it has been migrated to the new parent profile. Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat) Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied) Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287 Cc: stable@vger.kernel.org Signed-off-by: John Johansen --- security/apparmor/domain.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index fc3036b..a4d90aa 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -621,8 +621,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) /* released below */ cred = get_current_cred(); cxt = cred_cxt(cred); - profile = aa_cred_profile(cred); - previous_profile = cxt->previous; + profile = aa_get_newest_profile(aa_cred_profile(cred)); + previous_profile = aa_get_newest_profile(cxt->previous); if (unconfined(profile)) { info = "unconfined"; @@ -718,6 +718,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) out: aa_put_profile(hat); kfree(name); + aa_put_profile(profile); + aa_put_profile(previous_profile); put_cred(cred); return error; -- 2.9.3