FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 09-15-2010, 05:16 PM
John Johansen
 
Default UBUNTU: SAUCE: AppArmor: allow newer tools to load policy on older kernels

BugLink: http://bugs.launchpad.net/bugs/639758

Remove an unnecessary restriction from the AppArmor network capability patch.
When a newer version of the tools is used with an older kernel, it may build
in extra rules for newer networking protocols that the older kernel does
not know about.

The older kernel can safely ignore the extra rules as it should never
create sockets using the newer protocols.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
security/apparmor/policy_unpack.c | 3 ---
1 files changed, 0 insertions(+), 3 deletions(-)

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 6b0637b..ef11ba9 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -575,9 +575,6 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)

size = unpack_array(e, "net_allowed_af");
if (size) {
- if (size > AF_MAX)
- goto fail;
-
for (i = 0; i < size; i++) {
if (!unpack_u16(e, &profile->net.allow[i], NULL))
goto fail;
--
1.7.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 09-17-2010, 04:02 PM
John Johansen
 
Default UBUNTU: SAUCE: AppArmor: allow newer tools to load policy on older kernels

BugLink: http://bugs.launchpad.net/bugs/639758

Remove an unnecessary restriction from the AppArmor network capability patch
When a newer version of the tools is used with an older kernel, it may build
in extra rules for newer networking protocols that the older kernel does
not know about.

The older kernel can safely discard the extra rules as it should never
create sockets using the newer protocols, and the LSM hooks will
never pass requests matching these rules.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
security/apparmor/policy_unpack.c | 14 +++++++++++---
1 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 6b0637b..9c51b03 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -575,10 +575,18 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)

size = unpack_array(e, "net_allowed_af");
if (size) {
- if (size > AF_MAX)
- goto fail;
-
for (i = 0; i < size; i++) {
+ /* discard extraneous rules that this kernel will
+ * never request
+ */
+ if (size > AF_MAX) {
+ u16 tmp;
+ if (!unpack_u16(e, &tmp, NULL) ||
+ !unpack_u16(e, &tmp, NULL) ||
+ !unpack_u16(e, &tmp, NULL))
+ goto fail;
+ continue;
+ }
if (!unpack_u16(e, &profile->net.allow[i], NULL))
goto fail;
if (!unpack_u16(e, &profile->net.audit[i], NULL))
--
1.7.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 05:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org