Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3412041rwa; Tue, 23 Aug 2022 04:28:12 -0700 (PDT) X-Google-Smtp-Source: AA6agR7twi+9beDX32k5UUhmEq8GnPivwTDwC8Ojg7WEgzcRA9joEW2V5AvV95NPMhkG6NIgQ0ai X-Received: by 2002:a17:90b:3e86:b0:1f5:2b4f:7460 with SMTP id rj6-20020a17090b3e8600b001f52b4f7460mr2893639pjb.97.1661254092181; Tue, 23 Aug 2022 04:28:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661254092; cv=none; d=google.com; s=arc-20160816; b=BFvoQQMUf9VsIyDg6JSeP7StW/UjsizZPg1xCkwjck3FTACPGQwZRw+ya2Qzjzb6/q yspYQPpAcoEvRqw4QRmErCVq+/F/H/jzQjjqk7ACN+EAJA2K3ns468MJT4FCdwbAFVwI hsj1Ax9JUKWruy0EZiMRuG+CqWHHVg0rTEYHxgx5DPM3sRW/EA26KimKHPnDDBH8XxD0 3vIWyUIjxXj4LOPbGq5LT6vHkh1mgvFIrAs3mheLcpLN5JhRBX4SxWlCbk1OfTxWZm0Z gtyUUQ5vnoP/gfPJgvCXFMqeeTZ4ISVXQ8huH8cr1IRUAbxXwbdPNdq94BQ/O2ZAL6HY Rc0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=YahqO4aMSo5qqgiv7PJR1gafZqwyaeBHCIMX3D4Ar3E=; b=fHB0ZSHNm3z8E+Zfzi+TEaZqKMCAOzJnyGjguHnmE+6mbu3LENGuXJ/bGDhX8pPU1N mjuQ43pYZ4tZsbJh+h4G7fV3dDdW1NYVv1y+1vDYyAqRweFhVzFRiSmFJ8Yi2jgTtrlW 4sQlDqsGmHiwq1eSTBQlxUI+puXeAuenbM+6Y6WqyY6Zfhq4MzdgvNvDJiRQWcwCFrOp MJ6TvXf7MA8NvsdJpK03Le+SZtGahUaAuENq9tZRsI7GqFZK/y6r4i+BcAlsiRq/rk8Q q5YVka/68ba2l859cX2ia5zXgE6FjY4I7uOaI7jfycamHkXuAb4ihAo3/WUpxYhz1PBZ 9lVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kV10944b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q68-20020a632a47000000b004128e9db273si15975012pgq.587.2022.08.23.04.28.00; Tue, 23 Aug 2022 04:28:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kV10944b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356473AbiHWKyP (ORCPT + 99 others); Tue, 23 Aug 2022 06:54:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35958 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356256AbiHWKqx (ORCPT ); Tue, 23 Aug 2022 06:46:53 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94D5B868A6; Tue, 23 Aug 2022 02:11:40 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9CB04B81C86; Tue, 23 Aug 2022 09:11:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EC558C43470; Tue, 23 Aug 2022 09:11:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661245897; bh=nMFdVTIOTIai1hF1jiSNzmD+8RDh1bKHgV+Z1tDL/Ys=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kV10944b2jKy5N3rdLHFcvonyd7Vr9jyTWFuSQEEL5dTzwNJw8Fco0DyCmPzHkoTP uaDY5OsvQr40dRbUlxlnv/WrjddYn6DJfKPQPhjBb1BzgGqIMEc31aysHIsM6n68Eh vV6YU4lboA4Ec0j7uKyQyiENHWhGphyA7qLUVnj0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Casey Schaufler , John Johansen Subject: [PATCH 4.19 224/287] apparmor: fix absroot causing audited secids to begin with = Date: Tue, 23 Aug 2022 10:26:33 +0200 Message-Id: <20220823080108.540559258@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080100.268827165@linuxfoundation.org> References: <20220823080100.268827165@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: John Johansen commit 511f7b5b835726e844a5fc7444c18e4b8672edfd upstream. AppArmor is prefixing secids that are converted to secctx with the = to indicate the secctx should only be parsed from an absolute root POV. This allows catching errors where secctx are reparsed back into internal labels. Unfortunately because audit is using secid to secctx conversion this means that subject and object labels can result in a very unfortunate == that can break audit parsing. eg. the subj==unconfined term in the below audit message type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000 ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success' Fix this by switch the prepending of = to a _. This still works as a special character to flag this case without breaking audit. Also move this check behind debug as it should not be needed during normal operqation. Fixes: 26b7899510ae ("apparmor: add support for absolute root view based labels") Reported-by: Casey Schaufler Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman --- security/apparmor/include/lib.h | 5 +++++ security/apparmor/label.c | 7 ++++--- 2 files changed, 9 insertions(+), 3 deletions(-) --- a/security/apparmor/include/lib.h +++ b/security/apparmor/include/lib.h @@ -25,6 +25,11 @@ */ #define DEBUG_ON (aa_g_debug) +/* + * split individual debug cases out in preparation for finer grained + * debug controls in the future. + */ +#define AA_DEBUG_LABEL DEBUG_ON #define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args) #define AA_DEBUG(fmt, args...) \ do { \ --- a/security/apparmor/label.c +++ b/security/apparmor/label.c @@ -1641,9 +1641,9 @@ int aa_label_snxprint(char *str, size_t AA_BUG(!str && size != 0); AA_BUG(!label); - if (flags & FLAG_ABS_ROOT) { + if (AA_DEBUG_LABEL && (flags & FLAG_ABS_ROOT)) { ns = root_ns; - len = snprintf(str, size, "="); + len = snprintf(str, size, "_"); update_for_len(total, len, size, str); } else if (!ns) { ns = labels_ns(label); @@ -1905,7 +1905,8 @@ struct aa_label *aa_label_strn_parse(str AA_BUG(!str); str = skipn_spaces(str, n); - if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label)) + if (str == NULL || (AA_DEBUG_LABEL && *str == '_' && + base != &root_ns->unconfined->label)) return ERR_PTR(-EINVAL); len = label_count_strn_entries(str, end - str);