packages (LINUX_3_0): kernel/kernel-apparmor.patch - revert back, no real c...

arekm arekm at pld-linux.org
Tue Nov 22 18:35:12 CET 2011 

Author: arekm                        Date: Tue Nov 22 17:35:12 2011 GMT
Module: packages                      Tag: LINUX_3_0
---- Log message:
- revert back, no real changes and our patch was fixed by hand to work with current kernels

---- Files affected:
packages/kernel:
   kernel-apparmor.patch (1.15.2.1 -> 1.15.2.2) 

---- Diffs:

================================================================
Index: packages/kernel/kernel-apparmor.patch
diff -u packages/kernel/kernel-apparmor.patch:1.15.2.1 packages/kernel/kernel-apparmor.patch:1.15.2.2
--- packages/kernel/kernel-apparmor.patch:1.15.2.1	Tue Nov 22 18:32:07 2011
+++ packages/kernel/kernel-apparmor.patch	Tue Nov 22 18:35:07 2011
@@ -1,6 +1,6 @@
-From dc13dec93dbd04bfa7a9ba67df1b8ed3431d8d48 Mon Sep 17 00:00:00 2001
+From 0ae314bc92d8b22250f04f85e4bd36ee9ed30890 Mon Sep 17 00:00:00 2001
 From: John Johansen <john.johansen at canonical.com>
-Date: Wed, 10 Aug 2011 22:02:39 -0700
+Date: Mon, 4 Oct 2010 15:03:36 -0700
 Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
 
 Add compatibility for v5 network rules.
@@ -20,10 +20,10 @@
  create mode 100644 security/apparmor/net.c
 
 diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
-index 88e78de..c63979a 100644
+index 112a550..d5f3dd7 100644
 --- a/include/linux/lsm_audit.h
 +++ b/include/linux/lsm_audit.h
-@@ -124,6 +124,10 @@ struct common_audit_data {
+@@ -123,6 +123,10 @@ struct common_audit_data {
  					u32 denied;
  					uid_t ouid;
  				} fs;
@@ -151,7 +151,7 @@
  };
  
 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 3d2fd14..aa293ae 100644
+index ae3a698..05c018b 100644
 --- a/security/apparmor/lsm.c
 +++ b/security/apparmor/lsm.c
 @@ -32,6 +32,7 @@
@@ -162,7 +162,7 @@
  #include "include/path.h"
  #include "include/policy.h"
  #include "include/procattr.h"
-@@ -621,6 +622,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+@@ -610,5 +611,103 @@ static int apparmor_task_setrlimit(struct task_struct *task,
  	return error;
  }
  
@@ -264,10 +264,9 @@
 +	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
 +}
 +
- static struct security_operations apparmor_ops = {
- 	.name =				"apparmor",
- 
-@@ -652,6 +751,19 @@ static struct security_operations apparmor_ops = {
+ static int apparmor_task_setrlimit(struct task_struct *task,
+ 		unsigned int resource, struct rlimit *new_rlim)
+@@ -651,6 +750,19 @@ static struct security_operations apparmor_ops = {
  	.getprocattr =			apparmor_getprocattr,
  	.setprocattr =			apparmor_setprocattr,
  
@@ -476,7 +475,7 @@
  
  	aa_free_sid(profile->sid);
 diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
-index d6d9a57..f4874c4 100644
+index e33aaf7..fa3f1b4 100644
 --- a/security/apparmor/policy_unpack.c
 +++ b/security/apparmor/policy_unpack.c
 @@ -190,6 +190,19 @@ fail:
@@ -549,11 +548,11 @@
  	profile->file.dfa = unpack_dfa(e);
  	if (IS_ERR(profile->file.dfa)) {
 -- 
-1.7.5.4
+1.7.0.4
 
-From a2515f25ad5a7833ddc5a032d34eee6a5ddee3a2 Mon Sep 17 00:00:00 2001
+From cdc6b35345e5bcfe92bb2b52ef003f94ceedd40d Mon Sep 17 00:00:00 2001
 From: John Johansen <john.johansen at canonical.com>
-Date: Wed, 10 Aug 2011 22:02:40 -0700
+Date: Thu, 22 Jul 2010 02:32:02 -0700
 Subject: [PATCH 2/3] AppArmor: compatibility patch for v5 interface
 
 Signed-off-by: John Johansen <john.johansen at canonical.com>
@@ -940,5 +939,73 @@
 +
  #endif /* __AA_APPARMORFS_H */
 -- 
-1.7.5.4
+1.7.0.4
+
+From f17b28f64b963c47e76737f7bb7f58ce3a7c5249 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Tue, 20 Jul 2010 06:57:08 -0700
+Subject: [PATCH 3/3] AppArmor: Allow dfa backward compatibility with broken userspace
+
+The apparmor_parser when compiling policy could generate invalid dfas
+that did not have sufficient padding to avoid invalid references, when
+used by the kernel.  The kernels check to verify the next/check table
+size was broken meaning invalid dfas were being created by userspace
+and not caught.
+
+To remain compatible with old tools that are not fixed, pad the loaded
+dfas next/check table.  The dfa's themselves are valid except for the
+high padding for potentially invalid transitions (high bounds error),
+which have a maximimum is 256 entries.  So just allocate an extra null filled
+256 entries for the next/check tables.  This will guarentee all bounds
+are good and invalid transitions go to the null (0) state.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+---
+ security/apparmor/match.c |   17 +++++++++++++++++
+ 1 files changed, 17 insertions(+), 0 deletions(-)
+
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 06d764c..cf92856 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 	if (bsize < tsize)
+ 		goto out;
+ 
++	/* Pad table allocation for next/check by 256 entries to remain
++	 * backwards compatible with old (buggy) tools and remain safe without
++	 * run time checks
++	 */
++	if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
++		tsize += 256 * th.td_flags;
++
+ 	table = kvmalloc(tsize);
+ 	if (table) {
++		/* ensure the pad is clear, else there will be errors */
++		memset(table, 0, tsize);
+ 		*table = th;
+ 		if (th.td_flags == YYTD_DATA8)
+ 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
+ 		goto out;
+ 
+ 	if (flags & DFA_FLAG_VERIFY_STATES) {
++		int warning = 0;
+ 		for (i = 0; i < state_count; i++) {
+ 			if (DEFAULT_TABLE(dfa)[i] >= state_count)
+ 				goto out;
+ 			/* TODO: do check that DEF state recursion terminates */
+ 			if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
++				if (warning)
++					continue;
++				printk(KERN_WARNING "AppArmor DFA next/check "
++				       "upper bounds error fixed, upgrade "
++				       "user space tools \n");
++				warning = 1;
++			} else if (BASE_TABLE(dfa)[i] >= trans_count) {
+ 				printk(KERN_ERR "AppArmor DFA next/check upper "
+ 				       "bounds error\n");
+ 				goto out;
+-- 
+1.7.0.4
 
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel/kernel-apparmor.patch?r1=1.15.2.1&r2=1.15.2.2&f=u

More information about the pld-cvs-commit mailing list