From patchwork Fri Mar 31 12:57:34 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 745624 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3vvhPk12lqz9s03; Fri, 31 Mar 2017 23:58:18 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1ctw87-0000jM-2c; Fri, 31 Mar 2017 12:58:15 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1ctw7w-0000hk-S6 for kernel-team@lists.ubuntu.com; Fri, 31 Mar 2017 12:58:04 +0000 Received: from static-50-53-32-2.bvtn.or.frontiernet.net ([50.53.32.2] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1ctw7w-0006AS-9n for kernel-team@lists.ubuntu.com; Fri, 31 Mar 2017 12:58:04 +0000 From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 01/11] UBUNTU: SAUCE: apparmor: fix cross ns perm of unix domain sockets Date: Fri, 31 Mar 2017 05:57:34 -0700 Message-Id: <20170331125744.16986-2-john.johansen@canonical.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170331125744.16986-1-john.johansen@canonical.com> References: <20170331125744.16986-1-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com When using nested namespaces policy within the nested namespace is trying to cross validate with policy outside of the namespace that is not visible to it. This results the access being denied and with no way to add a rule to policy that would allow it. The check should only be done again policy that is visible. BugLink: http://bugs.launchpad.net/bugs/1660832 Signed-off-by: John Johansen Acked-by: Stefan Bader Acked-by: Tim Gardner Acked-by: Brad Figg Signed-off-by: Thadeu Lima de Souza Cascardo --- security/apparmor/af_unix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c index 8178498..757df1a 100644 --- a/security/apparmor/af_unix.c +++ b/security/apparmor/af_unix.c @@ -515,7 +515,7 @@ static int profile_peer_perm(struct aa_profile *profile, const char *op, u32 req addr, len, &aad(sa)->info); if (!peer_label) peer_label = peer_ctx->label; - return fn_for_each(peer_label, peerp, + return fn_for_each_in_ns(peer_label, peerp, match_label(profile, peerp, state, request, sa)); }