Google Git
Sign in
kernel/pub/scm/linux/kernel/git/jj/linux-apparmor/refs/heads/5.2-outoftree^!/.
commit
4f5e6604eb764ca4ce6d4aff14573f63c8e50025
[log]
author
John Johansen <john.johansen@canonical.com>
Mon Jul 30 13:55:30 2018 -0700
committer
John Johansen <john.johansen@canonical.com>
Wed Jul 10 16:34:30 2019 -0700
tree
be635087d4563009a5d34406a29ae9f4fc5b21c8
parent
84380fcd00ab1ce239ff12abff8f60ecedb3a547 [diff]
UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

The apparmor policy language current does not allow expressing of the
locking permission for no-fs unix sockets. However the kernel is
enforcing mediation.

Add the AA_MAY_LOCK perm to the computed perm mask which will grant
permission for all current abi profiles, but still allow specifying
auditing of the operation if needed.

BugLink: http://bugs.launchpad.net/bugs/1780227
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 30c246a..ec24f86 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c

@@ -334,7 +334,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
 	/* for v5 perm mapping in the policydb, the other set is used
 	 * to extend the general perm set
 	 */
-	perms->allow |= map_other(dfa_other_allow(dfa, state));
+	perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
 	perms->audit |= map_other(dfa_other_audit(dfa, state));
 	perms->quiet |= map_other(dfa_other_quiet(dfa, state));
 //	perms->xindex = dfa_user_xindex(dfa, state);