[packages/kernel/LINUX_6_1] Revert "Backport ability to load apparmor profile hats before main profile is loaded."

Fri Sep 15 23:22:19 CEST 2023

commit 0726731452f60222bffa08072d57980c0c1743c3
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Fri Sep 15 23:19:34 2023 +0200

    Revert "Backport ability to load apparmor profile hats before main profile is loaded."
    
    This reverts commit 5b9b6926302b41c0d4a3db978d862df50ba5d45e.
    
    (needs more backporting)

 apparmor.patch | 133 ---------------------------------------------------------
 kernel.spec    |   2 -
 2 files changed, 135 deletions(-)
---

diff --git a/kernel.spec b/kernel.spec
index 97dd6cc6..93989fbc 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -155,7 +155,6 @@ Patch2:		android-enable-building-binder-as-module.patch
 # http://dev.gentoo.org/~spock/projects/fbcondecor/archive/fbcondecor-0.9.4-2.6.25-rc6.patch
 Patch3:		kernel-fbcondecor.patch
 Patch6:		linux-wistron-nx.patch
-Patch7:		apparmor.patch
 
 # netfilter related stuff mostly based on patch-o-matic-ng
 # snapshot 20070806 with some fixes. Some modules
@@ -616,7 +615,6 @@ cd linux-%{basever}
 %patch3 -p1
 %endif
 %patch6 -p1
-%patch7 -p1
 
 ## netfilter
 #
diff --git a/apparmor.patch b/apparmor.patch
deleted file mode 100644
index 9bb9ff38..00000000
--- a/apparmor.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-commit 665b1856dc2399828d8ee07a18d4fd79868e729a
-Author: John Johansen <john.johansen at canonical.com>
-Date:   Mon Oct 3 06:06:26 2022 -0700
-
-    apparmor: Fix loading of child before parent
-    
-    Unfortunately it is possible for some userspace's to load children
-    profiles before the parent profile. This can even happen when the
-    child and the parent are in different load sets.
-    
-    Fix this by creating a null place holder profile that grants no permissions
-    and can be replaced by the parent once it is loaded.
-    
-    Signed-off-by: John Johansen <john.johansen at canonical.com>
-
-diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
-index c17ccedd35f1..66034cf96f4c 100644
---- a/security/apparmor/policy.c
-+++ b/security/apparmor/policy.c
-@@ -423,6 +423,57 @@ static struct aa_policy *__lookup_parent(struct aa_ns *ns,
- 	return &profile->base;
- }
- 
-+/**
-+ * __create_missing_ancestors - create place holders for missing ancestores
-+ * @ns: namespace to lookup profile in (NOT NULL)
-+ * @hname: hierarchical profile name to find parent of (NOT NULL)
-+ * @gfp: type of allocation.
-+ *
-+ * Returns: NULL on error, parent profile on success
-+ *
-+ * Requires: ns mutex lock held
-+ *
-+ * Returns: unrefcounted parent policy or NULL if error creating
-+ *          place holder profiles.
-+ */
-+static struct aa_policy *__create_missing_ancestors(struct aa_ns *ns,
-+						    const char *hname,
-+						    gfp_t gfp)
-+{
-+	struct aa_policy *policy;
-+	struct aa_profile *parent, *profile = NULL;
-+	char *split;
-+
-+	AA_BUG(!ns);
-+	AA_BUG(!hname);
-+
-+	policy = &ns->base;
-+
-+	for (split = strstr(hname, "//"); split;) {
-+		parent = profile;
-+		profile = __strn_find_child(&policy->profiles, hname,
-+					    split - hname);
-+		if (!profile) {
-+			const char *name = kstrndup(hname, split - hname,
-+						    gfp);
-+			if (!name)
-+				return NULL;
-+			profile = aa_alloc_null(parent, name, gfp);
-+			kfree(name);
-+			if (!profile)
-+				return NULL;
-+			if (!parent)
-+				profile->ns = aa_get_ns(ns);
-+		}
-+		policy = &profile->base;
-+		hname = split + 2;
-+		split = strstr(hname, "//");
-+	}
-+	if (!profile)
-+		return &ns->base;
-+	return &profile->base;
-+}
-+
- /**
-  * __lookupn_profile - lookup the profile matching @hname
-  * @base: base list to start looking up profile name from  (NOT NULL)
-@@ -1032,6 +1083,7 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
- 	/* setup parent and ns info */
- 	list_for_each_entry(ent, &lh, list) {
- 		struct aa_policy *policy;
-+		struct aa_profile *p;
- 
- 		if (aa_g_export_binary)
- 			ent->new->rawdata = aa_get_loaddata(udata);
-@@ -1056,21 +1108,38 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
- 			continue;
- 
- 		/* no ref on policy only use inside lock */
-+		p = NULL;
- 		policy = __lookup_parent(ns, ent->new->base.hname);
- 		if (!policy) {
--			struct aa_profile *p;
-+			/* first check for parent in the load set */
- 			p = __list_lookup_parent(&lh, ent->new);
- 			if (!p) {
--				error = -ENOENT;
--				info = "parent does not exist";
--				goto fail_lock;
-+				/*
-+				 * fill in missing parent with null
-+				 * profile that doesn't have
-+				 * permissions. This allows for
-+				 * individual profile loading where
-+				 * the child is loaded before the
-+				 * parent, and outside of the current
-+				 * atomic set. This unfortunately can
-+				 * happen with some userspaces.  The
-+				 * null profile will be replaced once
-+				 * the parent is loaded.
-+				 */
-+				policy = __create_missing_ancestors(ns,
-+							ent->new->base.hname,
-+							GFP_KERNEL);
-+				if (!policy) {
-+					error = -ENOENT;
-+					info = "parent does not exist";
-+					goto fail_lock;
-+				}
- 			}
--			rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
--		} else if (policy != &ns->base) {
--			/* released on profile replacement or free_profile */
--			struct aa_profile *p = (struct aa_profile *) policy;
--			rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
- 		}
-+		if (!p && policy != &ns->base)
-+			/* released on profile replacement or free_profile */
-+			p = (struct aa_profile *) policy;
-+		rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
- 	}
- 
- 	/* create new fs entries for introspection if needed */
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/0726731452f60222bffa08072d57980c0c1743c3

