Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Kernel Team (http://www.linux-archive.org/ubuntu-kernel-team/)
-   -   UBUNTU: SAUCE: AppArmor: Fix cap audit_caching preemption disabling (http://www.linux-archive.org/ubuntu-kernel-team/278717-ubuntu-sauce-apparmor-fix-cap-audit_caching-preemption-disabling.html)

Stefan Bader 11-11-2009 12:21 PM

UBUNTU: SAUCE: AppArmor: Fix cap audit_caching preemption disabling
 
Clearly fixes the described problem as it matches the get with a put.

John Johansen wrote:
> BugLink: http://bugs.launchpad.net/bugs/479102
>
> SRU Justification: Failing to put_cpu_var means that kernel preemption is
> disabled for the task. This will affect all confined processes that try
> to audit a capability message (so an process that has capability violation
> or is in learning mode and would have a capability violation).
>
> The auditing code of capabilities, has a simple cache to reduce capability
> messages flooding the audit logs. Checking and updating the cache
> disables kernel preemption. One potential exit path does not properly
> put the per cpu var, thus not reenabling preemption.
>
> Signed-off-by: John Johansen <john.johansen@canonical.com>

Acked-by: Stefan Bader <stefan.bader@canonical.com>

> ---
> ubuntu/apparmor/capability.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/ubuntu/apparmor/capability.c b/ubuntu/apparmor/capability.c
> index 65b91cf..5bb2eca 100644
> --- a/ubuntu/apparmor/capability.c
> +++ b/ubuntu/apparmor/capability.c
> @@ -72,6 +72,7 @@ static int aa_audit_caps(struct aa_profile *profile, struct aa_audit_caps *sa)
> /* Do simple duplicate message elimination */
> ent = &get_cpu_var(audit_cache);
> if (sa->base.task == ent->task && cap_raised(ent->caps, sa->cap)) {
> + put_cpu_var(audit_cache);
> if (PROFILE_COMPLAIN(profile))
> return 0;
> return sa->base.error;


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Andy Whitcroft 11-12-2009 10:19 AM

UBUNTU: SAUCE: AppArmor: Fix cap audit_caching preemption disabling
 
On Tue, Nov 10, 2009 at 10:29:11AM -0800, John Johansen wrote:
> BugLink: http://bugs.launchpad.net/bugs/479102
>
> SRU Justification: Failing to put_cpu_var means that kernel preemption is
> disabled for the task. This will affect all confined processes that try
> to audit a capability message (so an process that has capability violation
> or is in learning mode and would have a capability violation).
>
> The auditing code of capabilities, has a simple cache to reduce capability
> messages flooding the audit logs. Checking and updating the cache
> disables kernel preemption. One potential exit path does not properly
> put the per cpu var, thus not reenabling preemption.
>
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> ---
> ubuntu/apparmor/capability.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/ubuntu/apparmor/capability.c b/ubuntu/apparmor/capability.c
> index 65b91cf..5bb2eca 100644
> --- a/ubuntu/apparmor/capability.c
> +++ b/ubuntu/apparmor/capability.c
> @@ -72,6 +72,7 @@ static int aa_audit_caps(struct aa_profile *profile, struct aa_audit_caps *sa)
> /* Do simple duplicate message elimination */
> ent = &get_cpu_var(audit_cache);
> if (sa->base.task == ent->task && cap_raised(ent->caps, sa->cap)) {
> + put_cpu_var(audit_cache);
> if (PROFILE_COMPLAIN(profile))
> return 0;
> return sa->base.error;

This is a nice short section, looks right to me.

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Stefan Bader 11-12-2009 12:38 PM

UBUNTU: SAUCE: AppArmor: Fix cap audit_caching preemption disabling
 
Applied

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team


All times are GMT. The time now is 10:04 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.