[{"id":1763279,"web_url":"http://patchwork.ozlabs.org/comment/1763279/","msgid":"<57f29a0b-4f28-df33-dce8-2c2cf4c35dfb@canonical.com>","list_archive_url":null,"date":"2017-09-05T12:13:34","subject":"ACK: [PATCH][Xenial][Zesty] UBUNTU: SAUCE: fix oops when disabled\n\tand module parameters, are accessed","submitter":{"id":2900,"url":"http://patchwork.ozlabs.org/api/people/2900/","name":"Colin Ian King","email":"colin.king@canonical.com"},"content":"On 01/09/17 08:05, John Johansen wrote:\n> The virtualization of apparmor module parameters failed to take into\n> account the parameters being accessed when apparmor is not enabled\n> in some cases.\n> \n> It also failed to take into account that policy_admin_capable checks\n> should not be applied to parameters specified at kernel boot as this\n> is the callback is used before apparmor is initialized.\n> \n> BugLink: http://bugs.launchpad.net/bugs/1626984\n> Signed-off-by: John Johansen \n> ---\n> security/apparmor/lsm.c | 52 +++++++++++++++++++++++++++++--------------------\n> 1 file changed, 31 insertions(+), 21 deletions(-)\n> \n> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c\n> index 70617e50a0d4..7951c3dc9393 100644\n> --- a/security/apparmor/lsm.c\n> +++ b/security/apparmor/lsm.c\n> @@ -41,7 +41,7 @@\n> #include \"include/mount.h\"\n> \n> /* Flag indicating whether initialization completed */\n> -int apparmor_initialized __initdata;\n> +int apparmor_initialized;\n> \n> DEFINE_PER_CPU(struct aa_buffers, aa_buffers);\n> \n> @@ -1409,74 +1409,83 @@ __setup(\"apparmor=\", apparmor_enabled_setup);\n> /* set global flag turning off the ability to load policy */\n> static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)\n> {\n> -\tif (!policy_admin_capable(NULL))\n> +\tif (!apparmor_enabled)\n> +\t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> \t\treturn -EPERM;\n> \treturn param_set_bool(val, kp);\n> }\n> \n> static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_get_bool(buffer, kp);\n> }\n> \n> static int param_set_aabool(const char *val, const struct kernel_param *kp)\n> {\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_set_bool(val, kp);\n> }\n> \n> static int param_get_aabool(char *buffer, const struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_get_bool(buffer, kp);\n> }\n> \n> static int param_set_aauint(const char *val, const struct kernel_param *kp)\n> {\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> +\tint error;\n> +\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> -\treturn param_set_uint(val, kp);\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> +\n> +\terror = param_set_uint(val, kp);\n> +\tpr_info(\"AppArmor: buffer size set to %d bytes\\n\", aa_g_path_max);\n> +\n> +\treturn error;\n> }\n> \n> static int param_get_aauint(char *buffer, const struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_get_uint(buffer, kp);\n> }\n> \n> static int param_get_audit(char *buffer, struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn sprintf(buffer, \"%s\", audit_mode_names[aa_g_audit]);\n> }\n> \n> static int param_set_audit(const char *val, struct kernel_param *kp)\n> {\n> \tint i;\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> +\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> \tif (!val)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> \n> \tfor (i = 0; i < AUDIT_MAX_INDEX; i++) {\n> \t\tif (strcmp(val, audit_mode_names[i]) == 0) {\n> @@ -1490,10 +1499,10 @@ static int param_set_audit(const char *val, struct kernel_param *kp)\n> \n> static int param_get_mode(char *buffer, struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \n> \treturn sprintf(buffer, \"%s\", aa_profile_mode_names[aa_g_profile_mode]);\n> }\n> @@ -1501,12 +1510,13 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)\n> static int param_set_mode(const char *val, struct kernel_param *kp)\n> {\n> \tint i;\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> +\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> \tif (!val)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> \n> \tfor (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {\n> \t\tif (strcmp(val, aa_profile_mode_names[i]) == 0) {\n> \nAcked-by: Colin Ian King ","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xmlxJ3Dckz9sRV;\n\tTue, 5 Sep 2017 22:13:40 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1dpCjZ-0003LM-Fz; Tue, 05 Sep 2017 12:13:37 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1dpCjX-0003LE-8U\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 12:13:35 +0000","from 1.general.cking.uk.vpn ([10.172.193.212])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dpCjW-00048c-Vu; Tue, 05 Sep 2017 12:13:35 +0000"],"Subject":"ACK: [PATCH][Xenial][Zesty] UBUNTU: SAUCE: fix oops when disabled\n\tand module parameters, are accessed","To":"John Johansen ,\n\tKernel team list ","References":"","From":"Colin Ian King ","Message-ID":"<57f29a0b-4f28-df33-dce8-2c2cf4c35dfb@canonical.com>","Date":"Tue, 5 Sep 2017 13:13:34 +0100","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101\n\tThunderbird/45.8.0","MIME-Version":"1.0","In-Reply-To":"","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}},{"id":1763445,"web_url":"http://patchwork.ozlabs.org/comment/1763445/","msgid":"<02bc182f-0c6a-6e12-1f5a-792f10333e95@canonical.com>","list_archive_url":null,"date":"2017-09-05T15:23:42","subject":"ACK: [PATCH][Xenial][Zesty] UBUNTU: SAUCE: fix oops when disabled\n\tand module parameters, are accessed","submitter":{"id":2898,"url":"http://patchwork.ozlabs.org/api/people/2898/","name":"Stefan Bader","email":"stefan.bader@canonical.com"},"content":"On 01.09.2017 09:05, John Johansen wrote:\n> The virtualization of apparmor module parameters failed to take into\n> account the parameters being accessed when apparmor is not enabled\n> in some cases.\n> \n> It also failed to take into account that policy_admin_capable checks\n> should not be applied to parameters specified at kernel boot as this\n> is the callback is used before apparmor is initialized.\n> \n> BugLink: http://bugs.launchpad.net/bugs/1626984\n> Signed-off-by: John Johansen \nAcked-by: Stefan Bader \n\n> ---\n> security/apparmor/lsm.c | 52 +++++++++++++++++++++++++++++--------------------\n> 1 file changed, 31 insertions(+), 21 deletions(-)\n> \n> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c\n> index 70617e50a0d4..7951c3dc9393 100644\n> --- a/security/apparmor/lsm.c\n> +++ b/security/apparmor/lsm.c\n> @@ -41,7 +41,7 @@\n> #include \"include/mount.h\"\n> \n> /* Flag indicating whether initialization completed */\n> -int apparmor_initialized __initdata;\n> +int apparmor_initialized;\n> \n> DEFINE_PER_CPU(struct aa_buffers, aa_buffers);\n> \n> @@ -1409,74 +1409,83 @@ __setup(\"apparmor=\", apparmor_enabled_setup);\n> /* set global flag turning off the ability to load policy */\n> static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)\n> {\n> -\tif (!policy_admin_capable(NULL))\n> +\tif (!apparmor_enabled)\n> +\t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> \t\treturn -EPERM;\n> \treturn param_set_bool(val, kp);\n> }\n> \n> static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_get_bool(buffer, kp);\n> }\n> \n> static int param_set_aabool(const char *val, const struct kernel_param *kp)\n> {\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_set_bool(val, kp);\n> }\n> \n> static int param_get_aabool(char *buffer, const struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_get_bool(buffer, kp);\n> }\n> \n> static int param_set_aauint(const char *val, const struct kernel_param *kp)\n> {\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> +\tint error;\n> +\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> -\treturn param_set_uint(val, kp);\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> +\n> +\terror = param_set_uint(val, kp);\n> +\tpr_info(\"AppArmor: buffer size set to %d bytes\\n\", aa_g_path_max);\n> +\n> +\treturn error;\n> }\n> \n> static int param_get_aauint(char *buffer, const struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_get_uint(buffer, kp);\n> }\n> \n> static int param_get_audit(char *buffer, struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn sprintf(buffer, \"%s\", audit_mode_names[aa_g_audit]);\n> }\n> \n> static int param_set_audit(const char *val, struct kernel_param *kp)\n> {\n> \tint i;\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> +\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> \tif (!val)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> \n> \tfor (i = 0; i < AUDIT_MAX_INDEX; i++) {\n> \t\tif (strcmp(val, audit_mode_names[i]) == 0) {\n> @@ -1490,10 +1499,10 @@ static int param_set_audit(const char *val, struct kernel_param *kp)\n> \n> static int param_get_mode(char *buffer, struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \n> \treturn sprintf(buffer, \"%s\", aa_profile_mode_names[aa_g_profile_mode]);\n> }\n> @@ -1501,12 +1510,13 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)\n> static int param_set_mode(const char *val, struct kernel_param *kp)\n> {\n> \tint i;\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> +\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> \tif (!val)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> \n> \tfor (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {\n> \t\tif (strcmp(val, aa_profile_mode_names[i]) == 0) {\n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xmr8h3zSMz9ryQ;\n\tWed, 6 Sep 2017 01:23:48 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1dpFhZ-0007XK-RF; Tue, 05 Sep 2017 15:23:45 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1dpFhX-0007Ww-E1\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 15:23:43 +0000","from 1.general.smb.uk.vpn ([10.172.193.28])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dpFhX-0006kp-5x\n\tfor kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 15:23:43 +0000"],"Subject":"ACK: [PATCH][Xenial][Zesty] UBUNTU: SAUCE: fix oops when disabled\n\tand module parameters, are accessed","To":"kernel-team@lists.ubuntu.com","References":"","From":"Stefan Bader ","Message-ID":"<02bc182f-0c6a-6e12-1f5a-792f10333e95@canonical.com>","Date":"Tue, 5 Sep 2017 17:23:42 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"multipart/mixed;\n\tboundary=\"===============0843338699384317730==\"","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}},{"id":1769175,"web_url":"http://patchwork.ozlabs.org/comment/1769175/","msgid":"<75c11c14-47cf-b832-d66d-4ea939138730@canonical.com>","list_archive_url":null,"date":"2017-09-15T13:11:25","subject":"APPLIED X/REJECTED Z: [PATCH][Xenial][Zesty] UBUNTU: SAUCE: fix oops\n\twhen disabled and module parameters, are accessed","submitter":{"id":2898,"url":"http://patchwork.ozlabs.org/api/people/2898/","name":"Stefan Bader","email":"stefan.bader@canonical.com"},"content":"On 01.09.2017 09:05, John Johansen wrote:\n> The virtualization of apparmor module parameters failed to take into\n> account the parameters being accessed when apparmor is not enabled\n> in some cases.\n> \n> It also failed to take into account that policy_admin_capable checks\n> should not be applied to parameters specified at kernel boot as this\n> is the callback is used before apparmor is initialized.\n> \n> BugLink: http://bugs.launchpad.net/bugs/1626984\n> Signed-off-by: John Johansen \n> ---\n> security/apparmor/lsm.c | 52 +++++++++++++++++++++++++++++--------------------\n> 1 file changed, 31 insertions(+), 21 deletions(-)\n> \n> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c\n> index 70617e50a0d4..7951c3dc9393 100644\n> --- a/security/apparmor/lsm.c\n> +++ b/security/apparmor/lsm.c\n> @@ -41,7 +41,7 @@\n> #include \"include/mount.h\"\n> \n> /* Flag indicating whether initialization completed */\n> -int apparmor_initialized __initdata;\n> +int apparmor_initialized;\n> \n> DEFINE_PER_CPU(struct aa_buffers, aa_buffers);\n> \n> @@ -1409,74 +1409,83 @@ __setup(\"apparmor=\", apparmor_enabled_setup);\n> /* set global flag turning off the ability to load policy */\n> static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)\n> {\n> -\tif (!policy_admin_capable(NULL))\n> +\tif (!apparmor_enabled)\n> +\t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> \t\treturn -EPERM;\n> \treturn param_set_bool(val, kp);\n> }\n> \n> static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_get_bool(buffer, kp);\n> }\n> \n> static int param_set_aabool(const char *val, const struct kernel_param *kp)\n> {\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_set_bool(val, kp);\n> }\n> \n> static int param_get_aabool(char *buffer, const struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_get_bool(buffer, kp);\n> }\n> \n> static int param_set_aauint(const char *val, const struct kernel_param *kp)\n> {\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> +\tint error;\n> +\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> -\treturn param_set_uint(val, kp);\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> +\n> +\terror = param_set_uint(val, kp);\n> +\tpr_info(\"AppArmor: buffer size set to %d bytes\\n\", aa_g_path_max);\n> +\n> +\treturn error;\n> }\n> \n> static int param_get_aauint(char *buffer, const struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn param_get_uint(buffer, kp);\n> }\n> \n> static int param_get_audit(char *buffer, struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \treturn sprintf(buffer, \"%s\", audit_mode_names[aa_g_audit]);\n> }\n> \n> static int param_set_audit(const char *val, struct kernel_param *kp)\n> {\n> \tint i;\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> +\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> \tif (!val)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> \n> \tfor (i = 0; i < AUDIT_MAX_INDEX; i++) {\n> \t\tif (strcmp(val, audit_mode_names[i]) == 0) {\n> @@ -1490,10 +1499,10 @@ static int param_set_audit(const char *val, struct kernel_param *kp)\n> \n> static int param_get_mode(char *buffer, struct kernel_param *kp)\n> {\n> -\tif (!policy_view_capable(NULL))\n> -\t\treturn -EPERM;\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_view_capable(NULL))\n> +\t\treturn -EPERM;\n> \n> \treturn sprintf(buffer, \"%s\", aa_profile_mode_names[aa_g_profile_mode]);\n> }\n> @@ -1501,12 +1510,13 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)\n> static int param_set_mode(const char *val, struct kernel_param *kp)\n> {\n> \tint i;\n> -\tif (!policy_admin_capable(NULL))\n> -\t\treturn -EPERM;\n> +\n> \tif (!apparmor_enabled)\n> \t\treturn -EINVAL;\n> \tif (!val)\n> \t\treturn -EINVAL;\n> +\tif (apparmor_initialized && !policy_admin_capable(NULL))\n> +\t\treturn -EPERM;\n> \n> \tfor (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {\n> \t\tif (strcmp(val, aa_profile_mode_names[i]) == 0) {\n> \nThis patch is already applied in Zesty (and was even before release) as\n\nUBUNTU: SAUCE: apparmor: fix parameters so that the permission test is bypas\nsed at boot\n\n BugLink: http://bugs.launchpad.net/bugs/1678048","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xtwlT6Nvxz9sRm;\n\tFri, 15 Sep 2017 23:11:33 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1dsqP1-00039o-Ss; Fri, 15 Sep 2017 13:11:27 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1dsqP0-00039b-NV\n\tfor kernel-team@lists.ubuntu.com; Fri, 15 Sep 2017 13:11:26 +0000","from 1.general.smb.uk.vpn ([10.172.193.28])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dsqP0-00040z-FI; Fri, 15 Sep 2017 13:11:26 +0000"],"Subject":"APPLIED X/REJECTED Z: [PATCH][Xenial][Zesty] UBUNTU: SAUCE: fix oops\n\twhen disabled and module parameters, are accessed","To":"John Johansen ,\n\tKernel team list ","References":"","From":"Stefan Bader ","Message-ID":"<75c11c14-47cf-b832-d66d-4ea939138730@canonical.com>","Date":"Fri, 15 Sep 2017 15:11:25 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"multipart/mixed;\n\tboundary=\"===============2075884328740172519==\"","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "}}]