{"id":808538,"url":"http://patchwork.ozlabs.org/api/patches/808538/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/b8b6a59e-4483-addf-85e6-5d45ea2d6364@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<b8b6a59e-4483-addf-85e6-5d45ea2d6364@canonical.com>","list_archive_url":null,"date":"2017-09-01T07:05:38","name":"[Xenial,Zesty] UBUNTU: SAUCE: fix oops when disabled and module parameters, are accessed","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"11c64767c5e89d37ec548b378683d1b017979ad6","submitter":{"id":3000,"url":"http://patchwork.ozlabs.org/api/people/3000/?format=json","name":"John Johansen","email":"john.johansen@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/b8b6a59e-4483-addf-85e6-5d45ea2d6364@canonical.com/mbox/","series":[{"id":956,"url":"http://patchwork.ozlabs.org/api/series/956/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=956","date":"2017-09-01T07:05:38","name":"[Xenial,Zesty] UBUNTU: SAUCE: fix oops when disabled and module parameters, are accessed","version":1,"mbox":"http://patchwork.ozlabs.org/series/956/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/808538/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/808538/checks/","tags":{},"related":[],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xk9J23GGPz9s7C;\n\tFri,  1 Sep 2017 17:05:54 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.76)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1dng1R-0002nI-OL; Fri, 01 Sep 2017 07:05:45 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.76) (envelope-from <john.johansen@canonical.com>)\n\tid 1dng1M-0002my-TZ\n\tfor kernel-team@lists.ubuntu.com; Fri, 01 Sep 2017 07:05:40 +0000","from static-50-53-50-149.bvtn.or.frontiernet.net ([50.53.50.149]\n\thelo=[192.168.192.153]) by youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <john.johansen@canonical.com>)\n\tid 1dng1M-0001s3-Fz; Fri, 01 Sep 2017 07:05:40 +0000"],"To":"Kernel team list <kernel-team@lists.ubuntu.com>","From":"John Johansen <john.johansen@canonical.com>","Subject":"[PATCH][Xenial][Zesty] UBUNTU: SAUCE: fix oops when disabled and\n\tmodule parameters, are accessed","Organization":"Canonical","Message-ID":"<b8b6a59e-4483-addf-85e6-5d45ea2d6364@canonical.com>","Date":"Fri, 1 Sep 2017 00:05:38 -0700","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","Content-Language":"en-GB","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.14","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"kernel-team-bounces@lists.ubuntu.com"},"content":"The virtualization of apparmor module parameters failed to take into\naccount the parameters being accessed when apparmor is not enabled\nin some cases.\n\nIt also failed to take into account that policy_admin_capable checks\nshould not be applied to parameters specified at kernel boot as this\nis the callback is used before apparmor is initialized.\n\nBugLink: http://bugs.launchpad.net/bugs/1626984\nSigned-off-by: John Johansen <john.johansen@canonical.com>\n---\n security/apparmor/lsm.c | 52 +++++++++++++++++++++++++++++--------------------\n 1 file changed, 31 insertions(+), 21 deletions(-)","diff":"diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c\nindex 70617e50a0d4..7951c3dc9393 100644\n--- a/security/apparmor/lsm.c\n+++ b/security/apparmor/lsm.c\n@@ -41,7 +41,7 @@\n #include \"include/mount.h\"\n \n /* Flag indicating whether initialization completed */\n-int apparmor_initialized __initdata;\n+int apparmor_initialized;\n \n DEFINE_PER_CPU(struct aa_buffers, aa_buffers);\n \n@@ -1409,74 +1409,83 @@ __setup(\"apparmor=\", apparmor_enabled_setup);\n /* set global flag turning off the ability to load policy */\n static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)\n {\n-\tif (!policy_admin_capable(NULL))\n+\tif (!apparmor_enabled)\n+\t\treturn -EINVAL;\n+\tif (apparmor_initialized && !policy_admin_capable(NULL))\n \t\treturn -EPERM;\n \treturn param_set_bool(val, kp);\n }\n \n static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)\n {\n-\tif (!policy_view_capable(NULL))\n-\t\treturn -EPERM;\n \tif (!apparmor_enabled)\n \t\treturn -EINVAL;\n+\tif (apparmor_initialized && !policy_view_capable(NULL))\n+\t\treturn -EPERM;\n \treturn param_get_bool(buffer, kp);\n }\n \n static int param_set_aabool(const char *val, const struct kernel_param *kp)\n {\n-\tif (!policy_admin_capable(NULL))\n-\t\treturn -EPERM;\n \tif (!apparmor_enabled)\n \t\treturn -EINVAL;\n+\tif (apparmor_initialized && !policy_admin_capable(NULL))\n+\t\treturn -EPERM;\n \treturn param_set_bool(val, kp);\n }\n \n static int param_get_aabool(char *buffer, const struct kernel_param *kp)\n {\n-\tif (!policy_view_capable(NULL))\n-\t\treturn -EPERM;\n \tif (!apparmor_enabled)\n \t\treturn -EINVAL;\n+\tif (apparmor_initialized && !policy_view_capable(NULL))\n+\t\treturn -EPERM;\n \treturn param_get_bool(buffer, kp);\n }\n \n static int param_set_aauint(const char *val, const struct kernel_param *kp)\n {\n-\tif (!policy_admin_capable(NULL))\n-\t\treturn -EPERM;\n+\tint error;\n+\n \tif (!apparmor_enabled)\n \t\treturn -EINVAL;\n-\treturn param_set_uint(val, kp);\n+\tif (apparmor_initialized && !policy_admin_capable(NULL))\n+\t\treturn -EPERM;\n+\n+\terror = param_set_uint(val, kp);\n+\tpr_info(\"AppArmor: buffer size set to %d bytes\\n\", aa_g_path_max);\n+\n+\treturn error;\n }\n \n static int param_get_aauint(char *buffer, const struct kernel_param *kp)\n {\n-\tif (!policy_view_capable(NULL))\n-\t\treturn -EPERM;\n \tif (!apparmor_enabled)\n \t\treturn -EINVAL;\n+\tif (apparmor_initialized && !policy_view_capable(NULL))\n+\t\treturn -EPERM;\n \treturn param_get_uint(buffer, kp);\n }\n \n static int param_get_audit(char *buffer, struct kernel_param *kp)\n {\n-\tif (!policy_view_capable(NULL))\n-\t\treturn -EPERM;\n \tif (!apparmor_enabled)\n \t\treturn -EINVAL;\n+\tif (apparmor_initialized && !policy_view_capable(NULL))\n+\t\treturn -EPERM;\n \treturn sprintf(buffer, \"%s\", audit_mode_names[aa_g_audit]);\n }\n \n static int param_set_audit(const char *val, struct kernel_param *kp)\n {\n \tint i;\n-\tif (!policy_admin_capable(NULL))\n-\t\treturn -EPERM;\n+\n \tif (!apparmor_enabled)\n \t\treturn -EINVAL;\n \tif (!val)\n \t\treturn -EINVAL;\n+\tif (apparmor_initialized && !policy_admin_capable(NULL))\n+\t\treturn -EPERM;\n \n \tfor (i = 0; i < AUDIT_MAX_INDEX; i++) {\n \t\tif (strcmp(val, audit_mode_names[i]) == 0) {\n@@ -1490,10 +1499,10 @@ static int param_set_audit(const char *val, struct kernel_param *kp)\n \n static int param_get_mode(char *buffer, struct kernel_param *kp)\n {\n-\tif (!policy_view_capable(NULL))\n-\t\treturn -EPERM;\n \tif (!apparmor_enabled)\n \t\treturn -EINVAL;\n+\tif (apparmor_initialized && !policy_view_capable(NULL))\n+\t\treturn -EPERM;\n \n \treturn sprintf(buffer, \"%s\", aa_profile_mode_names[aa_g_profile_mode]);\n }\n@@ -1501,12 +1510,13 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)\n static int param_set_mode(const char *val, struct kernel_param *kp)\n {\n \tint i;\n-\tif (!policy_admin_capable(NULL))\n-\t\treturn -EPERM;\n+\n \tif (!apparmor_enabled)\n \t\treturn -EINVAL;\n \tif (!val)\n \t\treturn -EINVAL;\n+\tif (apparmor_initialized && !policy_admin_capable(NULL))\n+\t\treturn -EPERM;\n \n \tfor (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {\n \t\tif (strcmp(val, aa_profile_mode_names[i]) == 0) {\n","prefixes":["Xenial","Zesty"]}