]>
Commit | Line | Data |
---|---|---|
cd0e07c7 WB |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: John Johansen <john.johansen@canonical.com> | |
3 | Date: Fri, 27 Jul 2018 14:27:05 -0700 | |
4 | Subject: [PATCH] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs | |
5 | unix sockets | |
6 | ||
7 | the apparmor policy language current does not allow expressing of the | |
8 | locking permission for no-fs unix sockets. However the kernel is | |
9 | enforcing mediation. | |
10 | ||
11 | Add the AA_MAY_LOCK perm to the computed perm mask which will grant | |
12 | permission for all current abi profiles, but still allow specifying | |
13 | auditing of the operation if needed. | |
14 | ||
15 | http://bugs.launchpad.net/bugs/1780227 | |
16 | Signed-off-by: John Johansen <john.johansen@canonical.com> | |
17 | --- | |
18 | security/apparmor/lib.c | 2 +- | |
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
20 | ||
21 | diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c | |
e2af2a61 | 22 | index 068a9f471f77..23f3d16d6b85 100644 |
cd0e07c7 WB |
23 | --- a/security/apparmor/lib.c |
24 | +++ b/security/apparmor/lib.c | |
25 | @@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, | |
26 | /* for v5 perm mapping in the policydb, the other set is used | |
27 | * to extend the general perm set | |
28 | */ | |
29 | - perms->allow |= map_other(dfa_other_allow(dfa, state)); | |
30 | + perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK; | |
31 | perms->audit |= map_other(dfa_other_audit(dfa, state)); | |
32 | perms->quiet |= map_other(dfa_other_quiet(dfa, state)); | |
33 | // perms->xindex = dfa_user_xindex(dfa, state); |