[pve-kernel.git] / patches / kernel / 0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Fri, 27 Jul 2018 14:27:05 -0700
Subject: [PATCH] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs
 unix sockets

the apparmor policy language current does not allow expressing of the
locking permission for no-fs unix sockets. However the kernel is
enforcing mediation.

Add the AA_MAY_LOCK perm to the computed perm mask which will grant
permission for all current abi profiles, but still allow specifying
auditing of the operation if needed.

http://bugs.launchpad.net/bugs/1780227
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 068a9f471f77..23f3d16d6b85 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
 	/* for v5 perm mapping in the policydb, the other set is used
 	 * to extend the general perm set
 	 */
-	perms->allow |= map_other(dfa_other_allow(dfa, state));
+	perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
 	perms->audit |= map_other(dfa_other_audit(dfa, state));
 	perms->quiet |= map_other(dfa_other_quiet(dfa, state));
 //	perms->xindex = dfa_user_xindex(dfa, state);
Commit	Line	Data
cd0e07c7 WB	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: John Johansen <john.johansen@canonical.com>
	3	Date: Fri, 27 Jul 2018 14:27:05 -0700
	4	Subject: [PATCH] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs
	5	unix sockets
	6
	7	the apparmor policy language current does not allow expressing of the
	8	locking permission for no-fs unix sockets. However the kernel is
	9	enforcing mediation.
	10
	11	Add the AA_MAY_LOCK perm to the computed perm mask which will grant
	12	permission for all current abi profiles, but still allow specifying
	13	auditing of the operation if needed.
	14
	15	http://bugs.launchpad.net/bugs/1780227
	16	Signed-off-by: John Johansen <john.johansen@canonical.com>
	17	---
	18	security/apparmor/lib.c \| 2 +-
	19	1 file changed, 1 insertion(+), 1 deletion(-)
	20
	21	diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
e2af2a61	22	index 068a9f471f77..23f3d16d6b85 100644
cd0e07c7 WB	23	--- a/security/apparmor/lib.c
	24	+++ b/security/apparmor/lib.c
	25	@@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
	26	/* for v5 perm mapping in the policydb, the other set is used
	27	* to extend the general perm set
	28	*/
	29	- perms->allow \|= map_other(dfa_other_allow(dfa, state));
	30	+ perms->allow \|= map_other(dfa_other_allow(dfa, state)) \| AA_MAY_LOCK;
	31	perms->audit \|= map_other(dfa_other_audit(dfa, state));
	32	perms->quiet \|= map_other(dfa_other_quiet(dfa, state));
	33	// perms->xindex = dfa_user_xindex(dfa, state);