From patchwork Fri Sep 17 16:02:35 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 65085 X-Patchwork-Delegate: leann.ogasawara@canonical.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 2B5B9B70CC for ; Sat, 18 Sep 2010 02:02:56 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1OwdOl-0007UJ-4e; Fri, 17 Sep 2010 17:02:51 +0100 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1OwdOj-0007TL-An for kernel-team@lists.ubuntu.com; Fri, 17 Sep 2010 17:02:49 +0100 Received: from hutte.canonical.com ([91.189.90.181]) by adelie.canonical.com with esmtp (Exim 4.69 #1 (Debian)) id 1OwdOi-00051L-Uj for ; Fri, 17 Sep 2010 17:02:48 +0100 Received: from pool-96-225-211-211.ptldor.fios.verizon.net ([96.225.211.211] helo=canonical.com) by hutte.canonical.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1OwdOi-0007q5-IY for kernel-team@lists.ubuntu.com; Fri, 17 Sep 2010 17:02:48 +0100 From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/2] UBUNTU: SAUCE: AppArmor: allow newer tools to load policy on older kernels Date: Fri, 17 Sep 2010 09:02:35 -0700 Message-Id: <1284739355-17542-3-git-send-email-john.johansen@canonical.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1284739355-17542-1-git-send-email-john.johansen@canonical.com> References: <1284739355-17542-1-git-send-email-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com BugLink: http://bugs.launchpad.net/bugs/639758 Remove an unnecessary restriction from the AppArmor network capability patch When a newer version of the tools is used with an older kernel, it may build in extra rules for newer networking protocols that the older kernel does not know about. The older kernel can safely discard the extra rules as it should never create sockets using the newer protocols, and the LSM hooks will never pass requests matching these rules. Signed-off-by: John Johansen --- security/apparmor/policy_unpack.c | 14 +++++++++++--- 1 files changed, 11 insertions(+), 3 deletions(-) diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 6b0637b..9c51b03 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -575,10 +575,18 @@ static struct aa_profile *unpack_profile(struct aa_ext *e) size = unpack_array(e, "net_allowed_af"); if (size) { - if (size > AF_MAX) - goto fail; - for (i = 0; i < size; i++) { + /* discard extraneous rules that this kernel will + * never request + */ + if (size > AF_MAX) { + u16 tmp; + if (!unpack_u16(e, &tmp, NULL) || + !unpack_u16(e, &tmp, NULL) || + !unpack_u16(e, &tmp, NULL)) + goto fail; + continue; + } if (!unpack_u16(e, &profile->net.allow[i], NULL)) goto fail; if (!unpack_u16(e, &profile->net.audit[i], NULL))