patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: John Johansen <john.johansen@canonical.com>
   3 Date: Fri, 27 Jul 2018 14:27:05 -0700
   4 Subject: [PATCH] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs
   5  unix sockets
   6
   7 the apparmor policy language current does not allow expressing of the
   8 locking permission for no-fs unix sockets. However the kernel is
   9 enforcing mediation.
  10
  11 Add the AA_MAY_LOCK perm to the computed perm mask which will grant
  12 permission for all current abi profiles, but still allow specifying
  13 auditing of the operation if needed.
  14
  15 http://bugs.launchpad.net/bugs/1780227
  16 Signed-off-by: John Johansen <john.johansen@canonical.com>
  17 ---
  18  security/apparmor/lib.c | 2 +-
  19  1 file changed, 1 insertion(+), 1 deletion(-)
  20
  21 diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
  22 index a7b3f681b80e..eafad30a78d7 100644
  23 --- a/security/apparmor/lib.c
  24 +++ b/security/apparmor/lib.c
  25 @@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
  26         /* for v5 perm mapping in the policydb, the other set is used
  27          * to extend the general perm set
  28          */
  29 -       perms->allow |= map_other(dfa_other_allow(dfa, state));
  30 +       perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
  31         perms->audit |= map_other(dfa_other_audit(dfa, state));
  32         perms->quiet |= map_other(dfa_other_quiet(dfa, state));
  33  //     perms->xindex = dfa_user_xindex(dfa, state);
  34 --
  35 2.17.1
  36