FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 09-15-2010, 09:41 PM
Tetsuo Handa
 
Default UBUNTU: SAUCE: AppArmor: allow newer tools to load policyon older kernels

John Johansen wrote:
> security/apparmor/policy_unpack.c | 3 ---
> 1 files changed, 0 insertions(+), 3 deletions(-)
>
> diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
> index 6b0637b..ef11ba9 100644
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -575,9 +575,6 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
>
> size = unpack_array(e, "net_allowed_af");
> if (size) {
> - if (size > AF_MAX)
> - goto fail;
> -
> for (i = 0; i < size; i++) {
> if (!unpack_u16(e, &profile->net.allow[i], NULL))

If this patch changes to accept size > AF_MAX , this patch should change
to allocate net.allow[size] rather than net.allow[AF_MAX] .

> goto fail;

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 09-16-2010, 11:41 AM
John Johansen
 
Default UBUNTU: SAUCE: AppArmor: allow newer tools to load policyon older kernels

On 09/15/2010 02:41 PM, Tetsuo Handa wrote:
> John Johansen wrote:
>> security/apparmor/policy_unpack.c | 3 ---
>> 1 files changed, 0 insertions(+), 3 deletions(-)
>>
>> diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
>> index 6b0637b..ef11ba9 100644
>> --- a/security/apparmor/policy_unpack.c
>> +++ b/security/apparmor/policy_unpack.c
>> @@ -575,9 +575,6 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
>>
>> size = unpack_array(e, "net_allowed_af");
>> if (size) {
>> - if (size > AF_MAX)
>> - goto fail;
>> -
>> for (i = 0; i < size; i++) {
>> if (!unpack_u16(e, &profile->net.allow[i], NULL))
>
> If this patch changes to accept size > AF_MAX , this patch should change
> to allocate net.allow[size] rather than net.allow[AF_MAX] .
>
>> goto fail;

yes it should, I did make that change but it looks like I didn't push it
to the remote repo from which I pulled

thanks Tetsuo

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 09-17-2010, 11:54 PM
Tetsuo Handa
 
Default UBUNTU: SAUCE: AppArmor: allow newer tools to load policyon older kernels

John Johansen wrote:
> for (i = 0; i < size; i++) {
> + /* discard extraneous rules that this kernel will
> + * never request
> + */
> + if (size > AF_MAX) {

Do you want to discard all rules rather than extraneous rules?
I think this should be (i >= AF_MAX) rather than (size > AF_MAX).

> + u16 tmp;
> + if (!unpack_u16(e, &tmp, NULL) ||
> + !unpack_u16(e, &tmp, NULL) ||
> + !unpack_u16(e, &tmp, NULL))
> + goto fail;
> + continue;
> + }
> if (!unpack_u16(e, &profile->net.allow[i], NULL))
> goto fail;
> if (!unpack_u16(e, &profile->net.audit[i], NULL))

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 09-21-2010, 08:32 AM
John Johansen
 
Default UBUNTU: SAUCE: AppArmor: allow newer tools to load policyon older kernels

On 09/17/2010 04:54 PM, Tetsuo Handa wrote:
> John Johansen wrote:
>> for (i = 0; i< size; i++) {
>> + /* discard extraneous rules that this kernel will
>> + * never request
>> + */
>> + if (size> AF_MAX) {
>
> Do you want to discard all rules rather than extraneous rules?
> I think this should be (i>= AF_MAX) rather than (size> AF_MAX).
>
>> + u16 tmp;
>> + if (!unpack_u16(e,&tmp, NULL) ||
>> + !unpack_u16(e,&tmp, NULL) ||
>> + !unpack_u16(e,&tmp, NULL))
>> + goto fail;
>> + continue;
>> + }
>> if (!unpack_u16(e,&profile->net.allow[i], NULL))
>> goto fail;
>> if (!unpack_u16(e,&profile->net.audit[i], NULL))

sigh, yes. I can't believe I did that

thanks Tetsuo

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 09-21-2010, 11:31 AM
Tim Gardner
 
Default UBUNTU: SAUCE: AppArmor: allow newer tools to load policyon older kernels

On 09/21/2010 04:32 PM, John Johansen wrote:
> On 09/17/2010 04:54 PM, Tetsuo Handa wrote:
>> John Johansen wrote:
>>> for (i = 0; i< size; i++) {
>>> + /* discard extraneous rules that this kernel will
>>> + * never request
>>> + */
>>> + if (size> AF_MAX) {
>>
>> Do you want to discard all rules rather than extraneous rules?
>> I think this should be (i>= AF_MAX) rather than (size> AF_MAX).
>>
>>> + u16 tmp;
>>> + if (!unpack_u16(e,&tmp, NULL) ||
>>> + !unpack_u16(e,&tmp, NULL) ||
>>> + !unpack_u16(e,&tmp, NULL))
>>> + goto fail;
>>> + continue;
>>> + }
>>> if (!unpack_u16(e,&profile->net.allow[i], NULL))
>>> goto fail;
>>> if (!unpack_u16(e,&profile->net.audit[i], NULL))
>
> sigh, yes. I can't believe I did that
>
> thanks Tetsuo
>

So, whats the impact? Does this mean that we're dropping all AA rules?

rtg
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 09-21-2010, 04:13 PM
John Johansen
 
Default UBUNTU: SAUCE: AppArmor: allow newer tools to load policyon older kernels

On 09/21/2010 04:31 AM, Tim Gardner wrote:
> On 09/21/2010 04:32 PM, John Johansen wrote:
>> On 09/17/2010 04:54 PM, Tetsuo Handa wrote:
>>> John Johansen wrote:
>>>> for (i = 0; i< size; i++) {
>>>> + /* discard extraneous rules that this kernel will
>>>> + * never request
>>>> + */
>>>> + if (size> AF_MAX) {
>>>
>>> Do you want to discard all rules rather than extraneous rules?
>>> I think this should be (i>= AF_MAX) rather than (size> AF_MAX).
>>>
>>>> + u16 tmp;
>>>> + if (!unpack_u16(e,&tmp, NULL) ||
>>>> + !unpack_u16(e,&tmp, NULL) ||
>>>> + !unpack_u16(e,&tmp, NULL))
>>>> + goto fail;
>>>> + continue;
>>>> + }
>>>> if (!unpack_u16(e,&profile->net.allow[i], NULL))
>>>> goto fail;
>>>> if (!unpack_u16(e,&profile->net.audit[i], NULL))
>>
>> sigh, yes. I can't believe I did that
>>
>> thanks Tetsuo
>>
>
> So, whats the impact? Does this mean that we're dropping all AA rules?
>
No. It means we will drop network rules if the tools are built against
a newer kernel tree that has added a new address family. Against the
current tools everything works.

To load policy the user has to be an unconfined root, at which point
they can load modules and do other nasties so there isn't a potential
escalation out of this. It should just potentially affect machines on
upgrade.

So we need to SRU a patch for this but it is not release critical, but I have the patch and after I take a second look at it to make sure it is right this time. I will kick it out this morning.

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 06:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org