lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.02.1203280112180.22779@tundra.namei.org>
Date:	Wed, 28 Mar 2012 01:13:58 +1100 (EST)
From:	James Morris <jmorris@...ei.org>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
cc:	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	John Johansen <john.johansen@...onical.com>
Subject: [GIT] Apparmor bugfix

Hi Linus,

Please pull this fix for Apparmor.

The following changes since commit e22057c8599373e5caef0bc42bdb95d2a361ab0d:
  Linus Torvalds (1):
        Merge tag 'stable/for-linus-3.4-tag-two' of git://git.kernel.org/.../konrad/xen

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git for-linus

John Johansen (1):
      apparmor: Fix change_onexec when called from a confined task

 security/apparmor/domain.c |    3 ++-
 security/apparmor/file.c   |    2 ++
 2 files changed, 4 insertions(+), 1 deletions(-)

commit 0421ea91ddc7895a5a68d3bc670ed4b8e6448a42
Author: John Johansen <john.johansen@...onical.com>
Date:   Tue Mar 27 04:14:33 2012 -0700

    apparmor: Fix change_onexec when called from a confined task
    
    Fix failure in aa_change_onexec api when the request is made from a confined
    task.  This failure was caused by two problems
    
     The AA_MAY_ONEXEC perm was not being mapped correctly for this case.
    
     The executable name was being checked as second time instead of using the
     requested onexec profile name, which may not be the same as the exec
     profile name. This mistake can not be exploited to grant extra permission
     because of the above flaw where the ONEXEC permission was not being mapped
     so it will not be granted.
    
    BugLink: http://bugs.launchpad.net/bugs/963756
    
    Signed-off-by: John Johansen <john.johansen@...onical.com>
    Signed-off-by: James Morris <james.l.morris@...cle.com>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 7c69599..6327685 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -410,7 +410,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 		 * exec\0change_profile
 		 */
 		state = aa_dfa_null_transition(profile->file.dfa, state);
-		cp = change_profile_perms(profile, cxt->onexec->ns, name,
+		cp = change_profile_perms(profile, cxt->onexec->ns,
+					  cxt->onexec->base.name,
 					  AA_MAY_ONEXEC, state);
 
 		if (!(cp.allow & AA_MAY_ONEXEC))
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index 3022c0f..5d176f2 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -215,6 +215,8 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
 	/* change_profile wasn't determined by ownership in old mapping */
 	if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
 		perms.allow |= AA_MAY_CHANGE_PROFILE;
+	if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
+		perms.allow |= AA_MAY_ONEXEC;
 
 	return perms;
 }
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ