Dear John,
On 10/24/17 12:55, John Johansen wrote: > On 10/24/2017 02:32 AM, Paul Menzel wrote: >> I’d really like to try the Linux kernel fix. Can a get it from >> somewhere? >> > commit 8baea25455c08173713fdbceac99309192518ffb > Author: John Johansen <[email protected]> > Date: Mon Oct 23 08:51:24 2017 -0700 > > apparmor: fix regression in network mediation when using feature pinning > > When the 4.14-rc6 and earlier kernels are used with an upstream 4.13 > or earlier pinned feature set, there is a regression in network > mediation where policy is not being correctly enforced, because the > compilation is completely dropping the af mediation table as expected > by pre 4.14 kernels but the 4.14 kernel is not accounting for this. > > Resulting in network denials that can not be fixed by policy. > > Fixes: 651e28c5537a ("apparmor: add base infastructure for socket > mediation") > Signed-off-by: John Johansen <[email protected]> > > diff --git a/security/apparmor/policy_unpack.c > b/security/apparmor/policy_unpack.c > index 5a2aec358322..e348f8dec45d 100644 > --- a/security/apparmor/policy_unpack.c > +++ b/security/apparmor/policy_unpack.c > @@ -755,6 +755,10 @@ static struct aa_profile *unpack_profile(struct aa_ext > *e, char **ns_name) > } > if (!unpack_nameX(e, AA_ARRAYEND, NULL)) > goto fail; > + } else { > + /* support policy pre AF socket mediation */ > + for (i = 0; i < AF_MAX; i++) > + profile->net.allow[i] = 0xffff; > } > if (VERSION_LT(e->version, v7)) { > /* pre v7 policy always allowed these */ Thank you. Can I pull it from a tree? Trying [1], I am asked for credentials. ``` $ git remote add ubuntu https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source $ git fetch ubuntu Username for 'https://git.launchpad.net': ``` Kind regards, Paul [1] https://code.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/saucy/+ref/mako -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1721278 Title: apparmor="DENIED" operation="create" profile="/usr/sbin/cups-browsed" w/ 4.14-rc2 and later To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
