| Message ID | 5163FC60.4000300@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Tue, Apr 09, 2013 at 04:32:48AM -0700, John Johansen wrote: > The following changes since commit 82983bbf61f02dec860e266217f002c18a06006e: > > UBUNTU: Ubuntu-3.8.0-17.27 (2013-04-07 07:07:23 -0600) > > are available in the git repository at: > > git://kernel.ubuntu.com/jj/ubuntu-raring.git lp1163259 > > for you to fetch changes up to 881e7c4de917c7478ba1f1d75bc5b05b88c0423b: > > UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation (2013-04-09 02:05:39 -0700) > > ---------------------------------------------------------------- > John Johansen (1): > UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation > > security/apparmor/net.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > --- > > From 881e7c4de917c7478ba1f1d75bc5b05b88c0423b Mon Sep 17 00:00:00 2001 > From: John Johansen <john.johansen@canonical.com> > Date: Fri, 29 Jun 2012 17:34:00 -0700 > Subject: [PATCH] UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for > network mediation > > This fixes a bug in the apparmor networking patch that is not upstream > because it is being replaced by a newer patch. > > BugLink: http://bugs.launchpad.net/bugs/1163259 > > If a profile specified a quieting of network denials for a given rule by > either the quiet or deny rule qualifiers, the resultant quiet mask for > denied requests was applied incorrectly, resulting in two potential bugs. > 1. The misapplied quiet mask would prevent denials from being correctly > tested against the kill mask/mode. Thus network access requests that > should have resulted in the application being killed did not. > > 2. The actual quieting of the denied network request was not being applied. > This would result in network rejections always being logged even when > they had been specifically marked as quieted. > > Signed-off-by: John Johansen <john.johansen@canonical.com> > --- > security/apparmor/net.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/apparmor/net.c b/security/apparmor/net.c > index 003dd18..6e6e5c9 100644 > --- a/security/apparmor/net.c > +++ b/security/apparmor/net.c > @@ -88,7 +88,7 @@ static int audit_net(struct aa_profile *profile, int op, u16 family, int type, > } else { > u16 quiet_mask = profile->net.quiet[sa.u.net->family]; > u16 kill_mask = 0; > - u16 denied = (1 << sa.aad->net.type) & ~quiet_mask; > + u16 denied = (1 << sa.aad->net.type); > > if (denied & kill_mask) > audit_type = AUDIT_APPARMOR_KILL; > -- The following stanzas definatly expect the bits to be unmasked as they further mask against quiet_mask which would make no sense. Seems to do what is proposed. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
On 09/04/13 12:32, John Johansen wrote: > The following changes since commit 82983bbf61f02dec860e266217f002c18a06006e: > > UBUNTU: Ubuntu-3.8.0-17.27 (2013-04-07 07:07:23 -0600) > > are available in the git repository at: > > git://kernel.ubuntu.com/jj/ubuntu-raring.git lp1163259 > > for you to fetch changes up to 881e7c4de917c7478ba1f1d75bc5b05b88c0423b: > > UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation (2013-04-09 02:05:39 -0700) > > ---------------------------------------------------------------- > John Johansen (1): > UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation > > security/apparmor/net.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > --- > > From 881e7c4de917c7478ba1f1d75bc5b05b88c0423b Mon Sep 17 00:00:00 2001 > From: John Johansen <john.johansen@canonical.com> > Date: Fri, 29 Jun 2012 17:34:00 -0700 > Subject: [PATCH] UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for > network mediation > > This fixes a bug in the apparmor networking patch that is not upstream > because it is being replaced by a newer patch. > > BugLink: http://bugs.launchpad.net/bugs/1163259 > > If a profile specified a quieting of network denials for a given rule by > either the quiet or deny rule qualifiers, the resultant quiet mask for > denied requests was applied incorrectly, resulting in two potential bugs. > 1. The misapplied quiet mask would prevent denials from being correctly > tested against the kill mask/mode. Thus network access requests that > should have resulted in the application being killed did not. > > 2. The actual quieting of the denied network request was not being applied. > This would result in network rejections always being logged even when > they had been specifically marked as quieted. > > Signed-off-by: John Johansen <john.johansen@canonical.com> > --- > security/apparmor/net.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/apparmor/net.c b/security/apparmor/net.c > index 003dd18..6e6e5c9 100644 > --- a/security/apparmor/net.c > +++ b/security/apparmor/net.c > @@ -88,7 +88,7 @@ static int audit_net(struct aa_profile *profile, int op, u16 family, int type, > } else { > u16 quiet_mask = profile->net.quiet[sa.u.net->family]; > u16 kill_mask = 0; > - u16 denied = (1 << sa.aad->net.type) & ~quiet_mask; > + u16 denied = (1 << sa.aad->net.type); > > if (denied & kill_mask) > audit_type = AUDIT_APPARMOR_KILL; > I concur with apw's comments on this patch. Looks sensible to me. Acked-by: Colin Ian King <colin.king@canonical.com>
Applied by Leann.
diff --git a/security/apparmor/net.c b/security/apparmor/net.c index 003dd18..6e6e5c9 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -88,7 +88,7 @@ static int audit_net(struct aa_profile *profile, int op, u16 family, int type, } else { u16 quiet_mask = profile->net.quiet[sa.u.net->family]; u16 kill_mask = 0; - u16 denied = (1 << sa.aad->net.type) & ~quiet_mask; + u16 denied = (1 << sa.aad->net.type); if (denied & kill_mask) audit_type = AUDIT_APPARMOR_KILL;
The following changes since commit 82983bbf61f02dec860e266217f002c18a06006e: UBUNTU: Ubuntu-3.8.0-17.27 (2013-04-07 07:07:23 -0600) are available in the git repository at: git://kernel.ubuntu.com/jj/ubuntu-raring.git lp1163259 for you to fetch changes up to 881e7c4de917c7478ba1f1d75bc5b05b88c0423b: UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation (2013-04-09 02:05:39 -0700) ---------------------------------------------------------------- John Johansen (1): UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation security/apparmor/net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- From 881e7c4de917c7478ba1f1d75bc5b05b88c0423b Mon Sep 17 00:00:00 2001 From: John Johansen <john.johansen@canonical.com> Date: Fri, 29 Jun 2012 17:34:00 -0700 Subject: [PATCH] UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation This fixes a bug in the apparmor networking patch that is not upstream because it is being replaced by a newer patch. BugLink: http://bugs.launchpad.net/bugs/1163259 If a profile specified a quieting of network denials for a given rule by either the quiet or deny rule qualifiers, the resultant quiet mask for denied requests was applied incorrectly, resulting in two potential bugs. 1. The misapplied quiet mask would prevent denials from being correctly tested against the kill mask/mode. Thus network access requests that should have resulted in the application being killed did not. 2. The actual quieting of the denied network request was not being applied. This would result in network rejections always being logged even when they had been specifically marked as quieted. Signed-off-by: John Johansen <john.johansen@canonical.com> --- security/apparmor/net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)