From patchwork Wed Oct 25 12:31:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 1855042 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SFpGb4hKtz23jh for ; Wed, 25 Oct 2023 23:32:23 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qvd3P-0005DJ-It; Wed, 25 Oct 2023 12:32:12 +0000 Received: from smtp-relay-canonical-0.internal ([10.131.114.83] helo=smtp-relay-canonical-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qvd30-00058p-5c for kernel-team@lists.ubuntu.com; Wed, 25 Oct 2023 12:31:42 +0000 Received: from canonical.com (unknown [50.39.103.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 3B79A3FB46 for ; Wed, 25 Oct 2023 12:31:40 +0000 (UTC) From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/4] UBUNTU: SAUCE: apparmor: fix oops when racing to retrieve notification Date: Wed, 25 Oct 2023 05:31:27 -0700 Message-Id: <20231025123130.2751944-2-john.johansen@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231025123130.2751944-1-john.johansen@canonical.com> References: <20231025123130.2751944-1-john.johansen@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/2040245 When there is a race to receive a notification, the failing tasks oopes when erroring [ 196.140988] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 196.140995] #PF: supervisor read access in kernel mode [ 196.140996] #PF: error_code(0x0000) - not-present page [ 196.140997] PGD 0 P4D 0 [ 196.140999] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 196.141001] CPU: 0 PID: 2316 Comm: aa-prompt Not tainted 6.5.0-9-generic #9-Ubuntu [ 196.141004] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 196.141005] RIP: 0010:aa_listener_unotif_recv+0x11d/0x260 [ 196.141011] Code: ff ff ff 8b 55 d0 48 8b 75 c8 4c 89 ef e8 6b db ff ff 49 89 c2 48 85 c0 0f 88 c0 00 00 00 0f 84 25 ff ff ff 8b 05 3b 1c 1f 03 <49> 8b 55 00 83 e0 20 83 7a 08 07 74 66 85 c0 0f 85 01 01 00 00 48 [ 196.141012] RSP: 0018:ffffa2674075fdd8 EFLAGS: 00010246 [ 196.141014] RAX: 0000000000000000 RBX: ffff974507a08404 RCX: 0000000000000000 [ 196.141017] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 196.141017] RBP: ffffa2674075fe10 R08: 0000000000000000 R09: 0000000000000000 [ 196.141018] R10: fffffffffffffffe R11: 0000000000000000 R12: ffff974507a08400 [ 196.141019] R13: 0000000000000000 R14: ffff974507a08430 R15: ffff97451de00a00 [ 196.141020] FS: 00007f4ab6b30740(0000) GS:ffff97486fa00000(0000) knlGS:0000000000000000 [ 196.141022] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 196.141024] CR2: 0000000000000000 CR3: 0000000104cf2003 CR4: 0000000000770ef0 [ 196.141026] PKRU: 55555554 [ 196.141027] Call Trace: [ 196.141032] [ 196.141034] ? show_regs+0x6d/0x80 [ 196.141041] ? __die+0x24/0x80 [ 196.141043] ? page_fault_oops+0x99/0x1b0 [ 196.141047] ? do_user_addr_fault+0x316/0x6b0 [ 196.141048] ? filemap_map_pages+0x2b3/0x460 [ 196.141056] ? exc_page_fault+0x83/0x1b0 [ 196.141068] ? asm_exc_page_fault+0x27/0x30 [ 196.141079] ? aa_listener_unotif_recv+0x11d/0x260 [ 196.141081] ? aa_listener_unotif_recv+0x184/0x260 [ 196.141083] listener_ioctl+0x1e1/0x260 [ 196.141088] __x64_sys_ioctl+0xa0/0xf0 [ 196.141092] do_syscall_64+0x59/0x90 [ 196.141094] ? do_user_addr_fault+0x238/0x6b0 [ 196.141095] ? exit_to_user_mode_prepare+0x30/0xb0 [ 196.141100] ? irqentry_exit_to_user_mode+0x17/0x20 [ 196.141104] ? irqentry_exit+0x43/0x50 [ 196.141106] ? exc_page_fault+0x94/0x1b0 [ 196.141107] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 196.141109] RIP: 0033:0x7f4ab69238ef [ 196.141124] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 196.141125] RSP: 002b:00007ffd607a9020 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 196.141127] RAX: ffffffffffffffda RBX: 00007ffd607a9100 RCX: 00007f4ab69238ef [ 196.141128] RDX: 00007ffd607a9100 RSI: 00000000c008f804 RDI: 0000000000000003 [ 196.141128] RBP: 0000000000000003 R08: 0000000000000001 R09: 00007f4ab6b30740 [ 196.141129] R10: 00007f4ab6b7f0a0 R11: 0000000000000246 R12: 00007ffd607a90a0 [ 196.141130] R13: 00007ffd607a90dc R14: 0000559564822c10 R15: 0000000000031000 [ 196.141131] [ 196.141132] Modules linked in: snd_seq_dummy snd_hrtimer binfmt_misc nls_iso8859_1 intel_rapl_msr intel_rapl_common snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm kvm_intel snd_seq_midi snd_seq_midi_event kvm irqbypass crct10dif_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel aesni_intel crypto_simd cryptd rapl joydev snd_rawmidi snd_seq i2c_i801 i2c_smbus snd_seq_device snd_timer qxl snd drm_ttm_helper lpc_ich soundcore ttm 9pnet_virtio 9pnet drm_kms_helper input_leds mac_hid serio_raw nfsd msr parport_pc auth_rpcgss ppdev nfs_acl lockd grace lp parport drm efi_pstore sunrpc dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid ahci crc32_pclmul psmouse xhci_pci libahci virtio_rng xhci_pci_renesas [ 196.141188] CR2: 0000000000000000 [ 196.141190] ---[ end trace 0000000000000000 ]--- Fixes: e07417682502 ("UBUNTU: SAUCE: apparmor4.0.0 [61/76]: prompt - refactor to moving caching to uresponse") Signed-off-by: John Johansen --- security/apparmor/notify.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/apparmor/notify.c b/security/apparmor/notify.c index 9a6a88f50c1e..63d0e03b429a 100644 --- a/security/apparmor/notify.c +++ b/security/apparmor/notify.c @@ -1023,8 +1023,7 @@ long aa_listener_unotif_recv(struct aa_listener *listener, void __user *buf, do { knotif = listener_pop_and_hold_knotif(listener); if (!knotif) { - ret = -ENOENT; - break; + return -ENOENT; } AA_DEBUG(DEBUG_UPCALL, "id %lld: removed notif from listener queue", knotif->id); From patchwork Wed Oct 25 12:31:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 1855043 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SFpGm0TXjz23jh for ; Wed, 25 Oct 2023 23:32:31 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qvd3d-0005HD-Rb; Wed, 25 Oct 2023 12:32:21 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qvd33-00059P-2Y for kernel-team@lists.ubuntu.com; Wed, 25 Oct 2023 12:31:48 +0000 Received: from canonical.com (unknown [50.39.103.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 652C042737 for ; Wed, 25 Oct 2023 12:31:44 +0000 (UTC) From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/4] UBUNTU: SAUCE: apparmor: fix notification header size Date: Wed, 25 Oct 2023 05:31:28 -0700 Message-Id: <20231025123130.2751944-3-john.johansen@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231025123130.2751944-1-john.johansen@canonical.com> References: <20231025123130.2751944-1-john.johansen@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/2040250 When strings are appended to the notification the header size should be updated to reflect the correct size. While the size is also directly returned as part of delivering the notification, the header should also be update to conform to specification and allow for verification. If verification is enabled and the notification contains appended strings then notifications fail verification and won't be delivered. Fixes: 9a3b87d8b9a0 ("UBUNTU: SAUCE: apparmor4.0.0 [64/76]: prompt - rework build to use append fn, to simplify adding strings") Signed-off-by: John Johansen --- security/apparmor/notify.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/apparmor/notify.c b/security/apparmor/notify.c index 63d0e03b429a..e1c5697f79c7 100644 --- a/security/apparmor/notify.c +++ b/security/apparmor/notify.c @@ -975,6 +975,9 @@ static long build_v3_unotif(struct aa_knotif *knotif, void __user *buf, if (!build_append_str(buf, pos, max_size, knotif->ad->name, unotif.file.name, size)) return size; + + /* set size after appending strings */ + unotif.common.len = size; /* now the struct, at the start of user mem */ if (copy_to_user(buf, &unotif, sizeof(unotif))) return -EFAULT; From patchwork Wed Oct 25 12:31:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 1855044 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SFpH61slTz23jh for ; Wed, 25 Oct 2023 23:32:49 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qvd3l-0005Lx-UI; Wed, 25 Oct 2023 12:32:30 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qvd36-00059X-0l for kernel-team@lists.ubuntu.com; Wed, 25 Oct 2023 12:31:48 +0000 Received: from canonical.com (unknown [50.39.103.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 103A142747 for ; Wed, 25 Oct 2023 12:31:46 +0000 (UTC) From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 3/4] UBUNTU: SAUCE: apparmor: fix request field from a prompt reply that denies all access Date: Wed, 25 Oct 2023 05:31:29 -0700 Message-Id: <20231025123130.2751944-4-john.johansen@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231025123130.2751944-1-john.johansen@canonical.com> References: <20231025123130.2751944-1-john.johansen@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: http://bugs.launchpad.net/bugs/2040192 A reply to a prompt request that denies all permissions requested will throw the following warning, because the auditing code does not expect the request field to be empty when generating the audit message. Sep 27 22:48:14 ubuntu-mantic snapd[596]: listener.go:189: Sending access response back to kernel: {MsgNotification:{MsgHeader:{Length:0 Version:0} NotificationType:APPARMOR_NOTIF_RESP Signalled:0 NoCache:1 ID:2 Error:0} Error:-13 Allow:0 Deny:4} Sep 27 22:48:14 ubuntu-mantic kernel: ------------[ cut here ]------------ Sep 27 22:48:14 ubuntu-mantic kernel: AppArmor WARN aa_audit_file: ((!ad.request)): Sep 27 22:48:14 ubuntu-mantic kernel: WARNING: CPU: 3 PID: 2082 at security/apparmor/file.c:268 aa_audit_file+0x2b1/0x310 Sep 27 22:48:14 ubuntu-mantic kernel: Modules linked in: snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore binfmt_misc nls_iso8859_1 kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 aesni_intel virtio_gpu crypto_simd cryptd virtio_dma_buf drm_shmem_helper 9pnet_virtio drm_kms_helper 9pnet vmw_vsock_virtio_transport virtio_input vmw_vsock_virtio_transport_common input_leds joydev serio_raw vsock msr parport_pc ppdev lp parport drm virtiofs efi_pstore ip_tables x_tables autofs4 virtio_net xhci_pci ahci psmouse net_failover libahci xhci_pci_renesas failover virtio_rng Sep 27 22:48:14 ubuntu-mantic kernel: CPU: 3 PID: 2082 Comm: bash Not tainted 6.5.0-5-generic #5+aa4.0.0+debug5-Ubuntu Sep 27 22:48:14 ubuntu-mantic kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS unknown 2/2/2022 Sep 27 22:48:14 ubuntu-mantic kernel: RIP: 0010:aa_audit_file+0x2b1/0x310 Sep 27 22:48:14 ubuntu-mantic kernel: Code: 3c ff ff ff e8 80 6f a8 ff 44 8b 95 3c ff ff ff 5a 59 e9 e3 fe ff ff 48 c7 c6 98 5c 08 84 48 c7 c7 90 1a 60 84 e8 9f da 9d ff <0f> 0b 8b 85 78 ff ff ff e9 05 ff ff ff 48 89 de 4c 89 f7 e8 b7 f5 Sep 27 22:48:14 ubuntu-mantic kernel: RSP: 0018:ffffb66a82b57968 EFLAGS: 00010246 Sep 27 22:48:14 ubuntu-mantic kernel: RAX: 0000000000000000 RBX: ffffb66a82b57b24 RCX: 0000000000000000 Sep 27 22:48:14 ubuntu-mantic kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 Sep 27 22:48:14 ubuntu-mantic kernel: RBP: ffffb66a82b57a30 R08: 0000000000000000 R09: 0000000000000000 Sep 27 22:48:14 ubuntu-mantic kernel: R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 Sep 27 22:48:14 ubuntu-mantic kernel: R13: ffff8b160239d800 R14: ffffb66a82b57970 R15: 0000000000000001 Sep 27 22:48:14 ubuntu-mantic kernel: FS: 00007f1f7d3b3380(0000) GS:ffff8b17778c0000(0000) knlGS:0000000000000000 Sep 27 22:48:14 ubuntu-mantic kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Sep 27 22:48:14 ubuntu-mantic kernel: CR2: 000055d4482063f0 CR3: 0000000137e64000 CR4: 0000000000750ee0 Sep 27 22:48:14 ubuntu-mantic kernel: PKRU: 55555554 Sep 27 22:48:14 ubuntu-mantic kernel: Call Trace: Sep 27 22:48:14 ubuntu-mantic kernel: Sep 27 22:48:14 ubuntu-mantic kernel: ? show_regs+0x6d/0x80 Sep 27 22:48:14 ubuntu-mantic kernel: ? __warn+0x89/0x160 Sep 27 22:48:14 ubuntu-mantic kernel: ? aa_audit_file+0x2b1/0x310 Sep 27 22:48:14 ubuntu-mantic kernel: ? report_bug+0x17e/0x1b0 Sep 27 22:48:14 ubuntu-mantic kernel: ? handle_bug+0x51/0xa0 Sep 27 22:48:14 ubuntu-mantic kernel: ? exc_invalid_op+0x18/0x80 Sep 27 22:48:14 ubuntu-mantic kernel: ? asm_exc_invalid_op+0x1b/0x20 Sep 27 22:48:14 ubuntu-mantic kernel: ? aa_audit_file+0x2b1/0x310 Sep 27 22:48:14 ubuntu-mantic kernel: ? aa_audit_file+0x2b1/0x310 Sep 27 22:48:14 ubuntu-mantic kernel: __aa_path_perm+0xaf/0x130 Sep 27 22:48:14 ubuntu-mantic kernel: aa_path_perm+0xf1/0x1c0 Sep 27 22:48:14 ubuntu-mantic kernel: apparmor_file_open+0x1bb/0x2e0 Sep 27 22:48:14 ubuntu-mantic kernel: security_file_open+0x2e/0x60 Sep 27 22:48:14 ubuntu-mantic kernel: do_dentry_open+0x10d/0x530 Sep 27 22:48:14 ubuntu-mantic kernel: vfs_open+0x33/0x50 Sep 27 22:48:14 ubuntu-mantic kernel: do_open+0x2ed/0x470 Sep 27 22:48:14 ubuntu-mantic kernel: ? path_init+0x59/0x3d0 Sep 27 22:48:14 ubuntu-mantic kernel: path_openat+0x135/0x2d0 Sep 27 22:48:14 ubuntu-mantic kernel: ? _raw_spin_unlock+0xe/0x40 Sep 27 22:48:14 ubuntu-mantic kernel: do_filp_open+0xaf/0x170 Sep 27 22:48:14 ubuntu-mantic kernel: do_sys_openat2+0xb3/0xe0 Sep 27 22:48:14 ubuntu-mantic kernel: __x64_sys_openat+0x55/0xa0 Sep 27 22:48:14 ubuntu-mantic kernel: do_syscall_64+0x59/0x90 Sep 27 22:48:14 ubuntu-mantic kernel: ? handle_mm_fault+0xad/0x360 Sep 27 22:48:14 ubuntu-mantic kernel: ? do_user_addr_fault+0x238/0x6b0 Sep 27 22:48:14 ubuntu-mantic kernel: ? exit_to_user_mode_prepare+0x30/0xb0 Sep 27 22:48:14 ubuntu-mantic kernel: ? irqentry_exit_to_user_mode+0x17/0x20 Sep 27 22:48:14 ubuntu-mantic kernel: ? irqentry_exit+0x43/0x50 Sep 27 22:48:14 ubuntu-mantic kernel: ? exc_page_fault+0x94/0x1b0 Sep 27 22:48:14 ubuntu-mantic kernel: entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Sep 27 22:48:14 ubuntu-mantic kernel: RIP: 0033:0x7f1f7d4cdbcc Sep 27 22:48:14 ubuntu-mantic kernel: Code: 24 18 31 c0 41 83 e2 40 75 44 89 f0 25 00 00 41 00 3d 00 00 41 00 74 36 44 89 c2 4c 89 ce bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 48 8b 54 24 18 64 48 2b 14 25 28 00 00 00 Sep 27 22:48:14 ubuntu-mantic kernel: RSP: 002b:00007fff2a1d1280 EFLAGS: 00000287 ORIG_RAX: 0000000000000101 Sep 27 22:48:14 ubuntu-mantic kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f7d4cdbcc Sep 27 22:48:14 ubuntu-mantic kernel: RDX: 0000000000090800 RSI: 000055b5d4043c40 RDI: 00000000ffffff9c Sep 27 22:48:14 ubuntu-mantic kernel: RBP: 000055b5d4043c40 R08: 0000000000090800 R09: 000055b5d4043c40 Sep 27 22:48:14 ubuntu-mantic kernel: R10: 0000000000000000 R11: 0000000000000287 R12: 000055b5d4043c20 Sep 27 22:48:14 ubuntu-mantic kernel: R13: 000055b5d34637f8 R14: 000055b5d4043c00 R15: 000055b5d40436a0 Sep 27 22:48:14 ubuntu-mantic kernel: Sep 27 22:48:14 ubuntu-mantic kernel: ---[ end trace 0000000000000000 ]--- Note: this does not change the mediation, it just ensures the assert in the audit path does not trigger, polluting dmesg and the kernel audit log. Signed-off-by: John Johansen --- security/apparmor/file.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/security/apparmor/file.c b/security/apparmor/file.c index 8c80301ed6c1..e21be3cc752f 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -166,7 +166,9 @@ static int check_user(struct aa_profile *profile, } /* update based on node data for audit */ - ad->request = node->data.request; + perms->deny = node->data.denied; + perms->allow = node->data.request & ~node->data.denied; + ad->request |= node->data.request; ad->denied = node->data.denied; ad->error = node->data.error; From patchwork Wed Oct 25 12:31:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 1855045 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SFpHM210Nz23jh for ; Wed, 25 Oct 2023 23:33:03 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qvd46-0005Sl-3X; Wed, 25 Oct 2023 12:32:50 +0000 Received: from smtp-relay-canonical-0.internal ([10.131.114.83] helo=smtp-relay-canonical-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qvd3A-00059x-K4 for kernel-team@lists.ubuntu.com; Wed, 25 Oct 2023 12:31:55 +0000 Received: from canonical.com (unknown [50.39.103.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 1355F3F6C1 for ; Wed, 25 Oct 2023 12:31:49 +0000 (UTC) From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 4/4] UBUNTU: SAUCE: apparmor: open userns related sysctl so lxc can check if restriction are in place Date: Wed, 25 Oct 2023 05:31:30 -0700 Message-Id: <20231025123130.2751944-5-john.johansen@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231025123130.2751944-1-john.johansen@canonical.com> References: <20231025123130.2751944-1-john.johansen@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: http://bugs.launchpad.net/bugs/2040194 https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109 lxc and lxd currently need to determine if the apparmor restriction on unprivileged user namespaces are being enforced, so that apparmor restrictions won't break lxc/d, and they won't clutter the logs by doing something like unshare true to test if the restrictions are being enforced. Ideally access to this information would be restricted so that any unknown access would be logged, but lxc/d currently aren't ready for this so in order to _not_ force lxc/d to probe whether enforcement is enabled, open up read access to the sysctls for unprivileged user namespace mediation. Signed-off-by: John Johansen --- security/apparmor/lsm.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 205cd79fb625..a1ea0321ec38 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -2397,6 +2397,17 @@ static int apparmor_dointvec(struct ctl_table *table, int write, return proc_dointvec(table, write, buffer, lenp, ppos); } +static int userns_restrict_dointvec(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) +{ + if (!apparmor_enabled) + return -EINVAL; + if (write && !aa_current_policy_admin_capable(NULL)) + return -EPERM; + + return proc_dointvec(table, write, buffer, lenp, ppos); +} + static struct ctl_table apparmor_sysctl_table[] = { #ifdef CONFIG_USER_NS { @@ -2419,8 +2430,8 @@ static struct ctl_table apparmor_sysctl_table[] = { .procname = "apparmor_restrict_unprivileged_userns", .data = &unprivileged_userns_restricted, .maxlen = sizeof(int), - .mode = 0600, - .proc_handler = apparmor_dointvec, + .mode = 0644, + .proc_handler = userns_restrict_dointvec, }, { .procname = "apparmor_restrict_unprivileged_userns_force", @@ -2441,8 +2452,8 @@ static struct ctl_table apparmor_sysctl_table[] = { .procname = "apparmor_restrict_unprivileged_unconfined", .data = &aa_unprivileged_unconfined_restricted, .maxlen = sizeof(int), - .mode = 0600, - .proc_handler = apparmor_dointvec, + .mode = 0644, + .proc_handler = userns_restrict_dointvec, }, { .procname = "apparmor_restrict_unprivileged_io_uring",