From patchwork Tue Apr 9 11:33:02 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 235055 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id DFF802C00C2 for ; Tue, 9 Apr 2013 21:33:12 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UPWnT-0004Yt-Ly; Tue, 09 Apr 2013 11:33:07 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UPWnR-0004Y0-Bd for kernel-team@lists.ubuntu.com; Tue, 09 Apr 2013 11:33:05 +0000 Received: from static-50-53-34-211.bvtn.or.frontiernet.net ([50.53.34.211] helo=[192.168.192.110]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1UPWnR-0000XO-3N for kernel-team@lists.ubuntu.com; Tue, 09 Apr 2013 11:33:05 +0000 Message-ID: <5163FC6E.6070404@canonical.com> Date: Tue, 09 Apr 2013 04:33:02 -0700 From: John Johansen Organization: Canonical User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130404 Thunderbird/17.0.5 MIME-Version: 1.0 To: Kernel team list Subject: [PATCH][Quantal] apparmor: Fix quieting of audit messages for network mediation X-Enigmail-Version: 1.4.6 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com The following changes since commit e13650a092887728d555bc21e2ea9cd7aab53d9e: UBUNTU: Ubuntu-3.5.0-27.46 (2013-03-25 14:33:09 -0500) are available in the git repository at: git://kernel.ubuntu.com/jj/ubuntu-quantal.git lp1156769 for you to fetch changes up to 35ad0a8c35a4817f4f0f34d15462c5fd11f10f40: UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation (2013-04-09 02:50:48 -0700) ---------------------------------------------------------------- John Johansen (1): UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation security/apparmor/net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Acked-by: Andy Whitcroft Acked-by: Colin Ian King --- From 35ad0a8c35a4817f4f0f34d15462c5fd11f10f40 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Fri, 29 Jun 2012 17:34:00 -0700 Subject: [PATCH] UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation This fixes a bug in the apparmor networking patch that is not upstream because it is being replaced by a newer patch. BugLink: http://bugs.launchpad.net/bugs/1163259 If a profile specified a quieting of network denials for a given rule by either the quiet or deny rule qualifiers, the resultant quiet mask for denied requests was applied incorrectly, resulting in two potential bugs. 1. The misapplied quiet mask would prevent denials from being correctly tested against the kill mask/mode. Thus network access requests that should have resulted in the application being killed did not. 2. The actual quieting of the denied network request was not being applied. This would result in network rejections always being logged even when they had been specifically marked as quieted. Signed-off-by: John Johansen --- security/apparmor/net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/net.c b/security/apparmor/net.c index 003dd18..6e6e5c9 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -88,7 +88,7 @@ static int audit_net(struct aa_profile *profile, int op, u16 family, int type, } else { u16 quiet_mask = profile->net.quiet[sa.u.net->family]; u16 kill_mask = 0; - u16 denied = (1 << sa.aad->net.type) & ~quiet_mask; + u16 denied = (1 << sa.aad->net.type); if (denied & kill_mask) audit_type = AUDIT_APPARMOR_KILL;