Patchwork [3/3] UBUNTU: SAUCE: AppArmor: allow newer tools to load policy on older kernels

login
register
mail settings
Submitter John Johansen
Date Sept. 15, 2010, 5:16 p.m.
Message ID <1284570966-6603-4-git-send-email-john.johansen@canonical.com>
Download mbox | patch
Permalink /patch/64854/
State Accepted
Delegated to: Leann Ogasawara
Headers show

Comments

John Johansen - Sept. 15, 2010, 5:16 p.m.
BugLink: http://bugs.launchpad.net/bugs/639758

Remove an unnecessary restriction from the AppArmor network capability patch.
When a newer version of the tools is used with an older kernel, it may build
in extra rules for newer networking protocols that the older kernel does
not know about.

The older kernel can safely ignore the extra rules as it should never
create sockets using the newer protocols.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/policy_unpack.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)
Tetsuo Handa - Sept. 15, 2010, 9:41 p.m.
John Johansen wrote:
>  security/apparmor/policy_unpack.c |    3 ---
>  1 files changed, 0 insertions(+), 3 deletions(-)
> 
> diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
> index 6b0637b..ef11ba9 100644
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -575,9 +575,6 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
>  
>  	size = unpack_array(e, "net_allowed_af");
>  	if (size) {
> -		if (size > AF_MAX)
> -			goto fail;
> -
>  		for (i = 0; i < size; i++) {
>  			if (!unpack_u16(e, &profile->net.allow[i], NULL))

If this patch changes to accept size > AF_MAX , this patch should change
to allocate net.allow[size] rather than net.allow[AF_MAX] .

>  				goto fail;
John Johansen - Sept. 16, 2010, 11:41 a.m.
On 09/15/2010 02:41 PM, Tetsuo Handa wrote:
> John Johansen wrote:
>>  security/apparmor/policy_unpack.c |    3 ---
>>  1 files changed, 0 insertions(+), 3 deletions(-)
>>
>> diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
>> index 6b0637b..ef11ba9 100644
>> --- a/security/apparmor/policy_unpack.c
>> +++ b/security/apparmor/policy_unpack.c
>> @@ -575,9 +575,6 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
>>  
>>  	size = unpack_array(e, "net_allowed_af");
>>  	if (size) {
>> -		if (size > AF_MAX)
>> -			goto fail;
>> -
>>  		for (i = 0; i < size; i++) {
>>  			if (!unpack_u16(e, &profile->net.allow[i], NULL))
> 
> If this patch changes to accept size > AF_MAX , this patch should change
> to allocate net.allow[size] rather than net.allow[AF_MAX] .
> 
>>  				goto fail;

yes it should, I did make that change but it looks like I didn't push it
to the remote repo from which I pulled :(

thanks Tetsuo

Patch

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 6b0637b..ef11ba9 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -575,9 +575,6 @@  static struct aa_profile *unpack_profile(struct aa_ext *e)
 
 	size = unpack_array(e, "net_allowed_af");
 	if (size) {
-		if (size > AF_MAX)
-			goto fail;
-
 		for (i = 0; i < size; i++) {
 			if (!unpack_u16(e, &profile->net.allow[i], NULL))
 				goto fail;