Patchwork [3/3] UBUNTU: SAUCE: AppArmor: allow newer tools to loadpolicyon older kernels

login
register
mail settings
Submitter Tetsuo Handa
Date Sept. 16, 2010, 12:37 p.m.
Message ID <201009162137.DCE64533.ONGCVSVtVUP@I-love.SAKURA.ne.jp>
Download mbox | patch
Permalink /patch/64962/
State Accepted
Delegated to: Leann Ogasawara
Headers show

Comments

Tetsuo Handa - Sept. 16, 2010, 12:37 p.m.
John Johansen wrote:

> On 09/15/2010 02:41 PM, Tetsuo Handa wrote:
> > John Johansen wrote:
> >>  security/apparmor/policy_unpack.c |    3 ---
> >>  1 files changed, 0 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
> >> index 6b0637b..ef11ba9 100644
> >> --- a/security/apparmor/policy_unpack.c
> >> +++ b/security/apparmor/policy_unpack.c
> >> @@ -575,9 +575,6 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
> >>  
> >>  	size = unpack_array(e, "net_allowed_af");
> >>  	if (size) {
> >> -		if (size > AF_MAX)
> >> -			goto fail;
> >> -
> >>  		for (i = 0; i < size; i++) {
> >>  			if (!unpack_u16(e, &profile->net.allow[i], NULL))
> > 
> > If this patch changes to accept size > AF_MAX , this patch should change
> > to allocate net.allow[size] rather than net.allow[AF_MAX] .
> > 
> >>  				goto fail;
> 
> yes it should, I did make that change but it looks like I didn't push it
> to the remote repo from which I pulled :(

But allocating net.allow[size] is useless because kernel would reject before
calling LSM hooks if size > AF_MAX . Then, read and discard is sufficient?

Patch

--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -575,7 +575,7 @@ 
 
 	size = unpack_array(e, "net_allowed_af");
 	if (size) {
-		for (i = 0; i < size; i++) {
+		for (i = 0; i < size && i < AF_MAX; i++) {
 			if (!unpack_u16(e, &profile->net.allow[i], NULL))
 				goto fail;
 			if (!unpack_u16(e, &profile->net.audit[i], NULL))
@@ -583,6 +583,20 @@ 
 			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
 				goto fail;
 		}
+		/*
+		 * A newer version of userspace tools might support more
+		 * address families than this kernel supports. Read and discard
+		 * address families which are not supported by this kernel.
+		 */
+		for (; i < size; i++) {
+			u16 dummy;
+			if (!unpack_u16(e, &dummy, NULL))
+				goto fail;
+			if (!unpack_u16(e, &dummy, NULL))
+				goto fail;
+			if (!unpack_u16(e, &dummy, NULL))
+				goto fail;
+		}
 		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
 			goto fail;
 		/*