Dear John,
On 10/24/17 12:55, John Johansen wrote:
> On 10/24/2017 02:32 AM, Paul Menzel wrote:
>> I’d really like to try the Linux kernel fix. Can a get it from
>> somewhere?
>>
> commit 8baea25455c08173713fdbceac99309192518ffb
> Author: John Johansen <john.johan...@canonical.com>
> Date: Mon Oct 23 08:51:24 2017 -0700
>
> apparmor: fix regression in network mediation when using feature pinning
>
> When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
> or earlier pinned feature set, there is a regression in network
> mediation where policy is not being correctly enforced, because the
> compilation is completely dropping the af mediation table as expected
> by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
>
> Resulting in network denials that can not be fixed by policy.
>
> Fixes: 651e28c5537a ("apparmor: add base infastructure for socket
> mediation")
> Signed-off-by: John Johansen <john.johan...@canonical.com>
>
> diff --git a/security/apparmor/policy_unpack.c
> b/security/apparmor/policy_unpack.c
> index 5a2aec358322..e348f8dec45d 100644
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -755,6 +755,10 @@ static struct aa_profile *unpack_profile(struct aa_ext
> *e, char **ns_name)
> }
> if (!unpack_nameX(e, AA_ARRAYEND, NULL))
> goto fail;
> + } else {
> + /* support policy pre AF socket mediation */
> + for (i = 0; i < AF_MAX; i++)
> + profile->net.allow[i] = 0xffff;
> }
> if (VERSION_LT(e->version, v7)) {
> /* pre v7 policy always allowed these */
Thank you. Can I pull it from a tree? Trying [1], I am asked for
credentials.
```
$ git remote add ubuntu
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source
$ git fetch ubuntu
Username for 'https://git.launchpad.net':
```
Kind regards,
Paul
[1]
https://code.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/saucy/+ref/mako
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
w/ 4.14-rc2 and later
Status in apparmor package in Ubuntu:
Confirmed
Status in apparmor source package in Xenial:
Confirmed
Status in apparmor source package in Zesty:
Confirmed
Status in apparmor source package in Artful:
Confirmed
Bug description:
With Ubuntu 16.04.3 LTS (Xenial Xerus), and apparmor
2.10.95-0ubuntu2.7, in the system log each second the error message
below is printed to.
```
[…]
[Mi Okt 4 16:57:52 2017] audit: type=1400 audit(1507129072.882:554):
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939
comm="cups-browsed" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create"
[Mi Okt 4 16:57:53 2017] audit: type=1400 audit(1507129073.886:555):
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939
comm="cups-browsed" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create"
[Mi Okt 4 16:57:54 2017] audit: type=1400 audit(1507129074.886:556):
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939
comm="cups-browsed" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create"
[Mi Okt 4 16:57:55 2017] audit: type=1400 audit(1507129075.886:557):
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" pid=939
comm="cups-browsed" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create"
[…]
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
