| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Nov 2016 08:12:05 -0800
From: John Johansen <john.johansen@...onical.com>
To: James Morris <jmorris@...ei.org>
Cc: "open list:SECURITY SUBSYSTEM"
<linux-security-module@...r.kernel.org>,
LKLM <linux-kernel@...r.kernel.org>
Subject: [PATCH] apparmor: fix changehat not finding hat after policy
replacement
Hi James,
This is a fix for a policy replacement bug that is fairly serious for
apache mod_apparmor users, as it results in the wrong policy being
applied on an network facing service.
can you please pull and pushup for 4.9
It has been rebased against current 4.9, you can either grab the patch
included below or do a pull from
The following changes since commit 623898671c8eb05639e746e6d84cffa281616438:
Merge branch 'for-linus' of git://git.kernel.dk/linux-block (2016-11-17 13:59:39 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor fix-change_hat
for you to fetch changes up to 4bc60a7f780acb6eb5b71360ab04e29ecd282bda:
apparmor: fix change_hat not finding hat after policy replacement (2016-11-18 07:07:10 -0800)
----------------------------------------------------------------
John Johansen (1):
apparmor: fix change_hat not finding hat after policy replacement
security/apparmor/domain.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
---
>From 4bc60a7f780acb6eb5b71360ab04e29ecd282bda Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@...onical.com>
Date: Wed, 31 Aug 2016 21:10:06 -0700
Subject: [PATCH] apparmor: fix change_hat not finding hat after policy
replacement
After a policy replacement, the task cred may be out of date and need
to be updated. However change_hat is using the stale profiles from
the out of date cred resulting in either: a stale profile being applied
or, incorrect failure when searching for a hat profile as it has been
migrated to the new parent profile.
Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat)
Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied)
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287
Cc: stable@...r.kernel.org
Signed-off-by: John Johansen <john.johansen@...onical.com>
---
security/apparmor/domain.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index fc3036b..a4d90aa 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -621,8 +621,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
/* released below */
cred = get_current_cred();
cxt = cred_cxt(cred);
- profile = aa_cred_profile(cred);
- previous_profile = cxt->previous;
+ profile = aa_get_newest_profile(aa_cred_profile(cred));
+ previous_profile = aa_get_newest_profile(cxt->previous);
if (unconfined(profile)) {
info = "unconfined";
@@ -718,6 +718,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
out:
aa_put_profile(hat);
kfree(name);
+ aa_put_profile(profile);
+ aa_put_profile(previous_profile);
put_cred(cred);
return error;
--
2.9.3
Powered by blists - more mailing lists