From patchwork Tue Jan 26 00:10:11 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tyler Hicks <tyhicks@canonical.com>
X-Patchwork-Id: 572976
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 763251402C0;
	Tue, 26 Jan 2016 11:10:37 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1aNrDJ-0004Co-Vi; Tue, 26 Jan 2016 00:10:29 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.76) (envelope-from <tyhicks@canonical.com>)
	id 1aNrDF-0004Cc-Ic
	for kernel-team@lists.ubuntu.com; Tue, 26 Jan 2016 00:10:25 +0000
Received: from 1.general.tyhicks.us.vpn ([10.172.64.52]
	helo=localhost.localdomain)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <tyhicks@canonical.com>)
	id 1aNrDF-00005d-0P; Tue, 26 Jan 2016 00:10:25 +0000
From: Tyler Hicks <tyhicks@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH][VIVID][WILY][XENIAL] UBUNTU: SAUCE: (no-up): apparmor: fix
	for failed mediation of socket that is being shutdown
Date: Mon, 25 Jan 2016 18:10:11 -0600
Message-Id: <1453767011-18241-1-git-send-email-tyhicks@canonical.com>
X-Mailer: git-send-email 2.5.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

From: John Johansen <john.johansen@canonical.com>

BugLink: http://bugs.launchpad.net/bugs/1446906

This is a horrendous HACK, that is a temporary fix until typesplitting
can land.

Store off the path reference on connection to make up for the path
being wiped out on socket shutdown.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
---
 security/apparmor/af_unix.c     |  4 ++++
 security/apparmor/include/net.h |  2 ++
 security/apparmor/lsm.c         | 20 ++++++++++++++++++++
 3 files changed, 26 insertions(+)

diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c
index 62e7fd1..1da5ee6 100644
--- a/security/apparmor/af_unix.c
+++ b/security/apparmor/af_unix.c
@@ -40,6 +40,10 @@ static inline int unix_fs_perm(int op, u32 mask, struct aa_label *label,
 		/* socket path has been cleared because it is being shutdown
 		 * can only fall back to original sun_path request
 		 */
+		struct aa_sk_cxt *cxt = SK_CXT(&u->sk);
+		if (cxt->path.dentry)
+			return aa_path_perm(op, label, &cxt->path, flags, mask,
+					    &cond);
 		return fn_for_each_confined(label, profile,
 			((flags | profile->path_flags) & PATH_MEDIATE_DELETED) ?
 				__aa_path_perm(op, profile,
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
index 4a5fae5..1aedbf6 100644
--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
@@ -16,6 +16,7 @@
 #define __AA_NET_H
 
 #include <net/sock.h>
+#include <linux/path.h>
 
 #include "apparmorfs.h"
 #include "label.h"
@@ -52,6 +53,7 @@
 struct aa_sk_cxt {
 	struct aa_label *label;
 	struct aa_label *peer;
+	struct path path;
 };
 
 #define SK_CXT(X) (X)->sk_security
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 87f470c..f8a1a6d 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -754,6 +754,7 @@ static void apparmor_sk_free_security(struct sock *sk)
 	SK_CXT(sk) = NULL;
 	aa_put_label(cxt->label);
 	aa_put_label(cxt->peer);
+	path_put(&cxt->path);
 	kfree(cxt);
 }
 
@@ -768,6 +769,17 @@ static void apparmor_sk_clone_security(const struct sock *sk,
 
 	new->label = aa_get_label(cxt->label);
 	new->peer = aa_get_label(cxt->peer);
+	new->path = cxt->path;
+	path_get(&new->path);
+}
+
+static struct path *UNIX_FS_CONN_PATH(struct sock *sk, struct sock *newsk)
+{
+	if (sk->sk_family == PF_UNIX && UNIX_FS(sk))
+		return &unix_sk(sk)->path;
+	else if (newsk->sk_family == PF_UNIX && UNIX_FS(newsk))
+		return &unix_sk(newsk)->path;
+	return NULL;
 }
 
 /**
@@ -782,6 +794,7 @@ static int apparmor_unix_stream_connect(struct sock *sk, struct sock *peer_sk,
 	struct aa_sk_cxt *peer_cxt = SK_CXT(peer_sk);
 	struct aa_sk_cxt *new_cxt = SK_CXT(newsk);
 	struct aa_label *label;
+	struct path *path;
 	int error;
 
 	label = aa_begin_current_label();
@@ -817,6 +830,13 @@ static int apparmor_unix_stream_connect(struct sock *sk, struct sock *peer_sk,
 	new_cxt->peer = aa_get_label(sk_cxt->label);
 	sk_cxt->peer = aa_get_label(peer_cxt->label);
 
+	path = UNIX_FS_CONN_PATH(sk, peer_sk);
+	if (path) {
+		new_cxt->path = *path;
+		sk_cxt->path = *path;
+		path_get(path);
+		path_get(path);
+	}
 	return 0;
 }