On 10/24/2017 02:32 AM, Paul Menzel wrote:
> I’d really like to try the Linux kernel fix. Can a get it from
> somewhere?
>
commit 8baea25455c08173713fdbceac99309192518ffb
Author: John Johansen <john.johan...@canonical.com>
Date: Mon Oct 23 08:51:24 2017 -0700
apparmor: fix regression in network mediation when using feature pinning
When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
or earlier pinned feature set, there is a regression in network
mediation where policy is not being correctly enforced, because the
compilation is completely dropping the af mediation table as expected
by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
Resulting in network denials that can not be fixed by policy.
Fixes: 651e28c5537a ("apparmor: add base infastructure for socket
mediation")
Signed-off-by: John Johansen <john.johan...@canonical.com>
diff --git a/security/apparmor/policy_unpack.c
b/security/apparmor/policy_unpack.c
index 5a2aec358322..e348f8dec45d 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -755,6 +755,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e,
char **ns_name)
}
if (!unpack_nameX(e, AA_ARRAYEND, NULL))
goto fail;
+ } else {
+ /* support policy pre AF socket mediation */
+ for (i = 0; i < AF_MAX; i++)
+ profile->net.allow[i] = 0xffff;
}
if (VERSION_LT(e->version, v7)) {
/* pre v7 policy always allowed these */
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
w/ 4.14-rc2 and later
Status in apparmor package in Ubuntu:
Confirmed
Status in apparmor source package in Xenial:
Confirmed
Status in apparmor source package in Zesty:
Confirmed
Status in apparmor source package in Artful:
Confirmed
Bug description:
With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor
2.10.95-0ubuntu2.7, in the system log each second the error message
below is printed to.
```
[…]
[Mi Okt 4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554):
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939
comm="cups-browsed" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create"
[Mi Okt 4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555):
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939
comm="cups-browsed" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create"
[Mi Okt 4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556):
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939
comm="cups-browsed" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create"
[Mi Okt 4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557):
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939
comm="cups-browsed" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create"
[…]
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
