From: Wolfgang Bumiller Date: Mon, 30 Jul 2018 07:26:46 +0000 (+0200) Subject: add apparmor socket mediation fix X-Git-Url: https://git.proxmox.com/?p=pve-kernel.git;a=commitdiff_plain;h=cd0e07c79240b16bd34c9c30bbe9a2532043dcba;hp=64fc80e3b76dcca24399be943ac47093ffa347ae add apparmor socket mediation fix Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227 Signed-off-by: Wolfgang Bumiller --- diff --git a/patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch b/patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch new file mode 100644 index 0000000..23c1c50 --- /dev/null +++ b/patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Fri, 27 Jul 2018 14:27:05 -0700 +Subject: [PATCH] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs + unix sockets + +the apparmor policy language current does not allow expressing of the +locking permission for no-fs unix sockets. However the kernel is +enforcing mediation. + +Add the AA_MAY_LOCK perm to the computed perm mask which will grant +permission for all current abi profiles, but still allow specifying +auditing of the operation if needed. + +http://bugs.launchpad.net/bugs/1780227 +Signed-off-by: John Johansen +--- + security/apparmor/lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c +index a7b3f681b80e..eafad30a78d7 100644 +--- a/security/apparmor/lib.c ++++ b/security/apparmor/lib.c +@@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, + /* for v5 perm mapping in the policydb, the other set is used + * to extend the general perm set + */ +- perms->allow |= map_other(dfa_other_allow(dfa, state)); ++ perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK; + perms->audit |= map_other(dfa_other_audit(dfa, state)); + perms->quiet |= map_other(dfa_other_quiet(dfa, state)); + // perms->xindex = dfa_user_xindex(dfa, state); +-- +2.17.1 +