On 10/24/2017 02:32 AM, Paul Menzel wrote:
> I’d really like to try the Linux kernel fix. Can a get it from
> somewhere?
>
commit 8baea25455c08173713fdbceac99309192518ffb
Author: John Johansen <john.johan...@canonical.com>
Date: Mon Oct 23 08:51:24 2017 -0700
apparmor: fix regression in network mediation when using feature pinning
When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
or earlier pinned feature set, there is a regression in network
mediation where policy is not being correctly enforced, because the
compilation is completely dropping the af mediation table as expected
by pre 4.14 kernels but the 4.14 kernel is not accounting for this.
Resulting in network denials that can not be fixed by policy.
Fixes: 651e28c5537a ("apparmor: add base infastructure for socket
mediation")
Signed-off-by: John Johansen <john.johan...@canonical.com>
diff --git a/security/apparmor/policy_unpack.c
b/security/apparmor/policy_unpack.c
index 5a2aec358322..e348f8dec45d 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -755,6 +755,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e,
char **ns_name)
}
if (!unpack_nameX(e, AA_ARRAYEND, NULL))
goto fail;
+ } else {
+ /* support policy pre AF socket mediation */
+ for (i = 0; i < AF_MAX; i++)
+ profile->net.allow[i] = 0xffff;
}
if (VERSION_LT(e->version, v7)) {
/* pre v7 policy always allowed these */
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1721278
Title:
apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed"
w/ 4.14-rc2 and later
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
