Message ID | 5163FC7A.3010400@canonical.com |
---|---|
State | New |
Headers | show |
On Tue, Apr 09, 2013 at 04:33:14AM -0700, John Johansen wrote: > The following changes since commit 985689ad1c3211f4f3a9ce0e2371847320ba873f: > > UBUNTU: Ubuntu-3.2.0-40.64 (2013-03-25 15:41:43 -0500) > > are available in the git repository at: > > git://kernel.ubuntu.com/jj/ubuntu-precise.git lp1163259 > > for you to fetch changes up to 3f9bb12a9458a3a90788838b7f1f2e15eaa53728: > > UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation (2013-04-09 02:47:47 -0700) > > ---------------------------------------------------------------- > John Johansen (1): > UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation > > security/apparmor/net.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > --- > > From 3f9bb12a9458a3a90788838b7f1f2e15eaa53728 Mon Sep 17 00:00:00 2001 > From: John Johansen <john.johansen@canonical.com> > Date: Fri, 29 Jun 2012 17:34:00 -0700 > Subject: [PATCH] UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for > network mediation > > This fixes a bug in the apparmor networking patch that is not upstream > because it is being replaced by a newer patch. > > BugLink: http://bugs.launchpad.net/bugs/1163259 > > If a profile specified a quieting of network denials for a given rule by > either the quiet or deny rule qualifiers, the resultant quiet mask for > denied requests was applied incorrectly, resulting in two potential bugs. > 1. The misapplied quiet mask would prevent denials from being correctly > tested against the kill mask/mode. Thus network access requests that > should have resulted in the application being killed did not. > > 2. The actual quieting of the denied network request was not being applied. > This would result in network rejections always being logged even when > they had been specifically marked as quieted. > > Signed-off-by: John Johansen <john.johansen@canonical.com> > --- > security/apparmor/net.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/apparmor/net.c b/security/apparmor/net.c > index 995817c..36befb4 100644 > --- a/security/apparmor/net.c > +++ b/security/apparmor/net.c > @@ -85,7 +85,7 @@ static int audit_net(struct aa_profile *profile, int op, u16 family, int type, > } else { > u16 quiet_mask = profile->net.quiet[sa.u.net.family]; > u16 kill_mask = 0; > - u16 denied = (1 << sa.aad.net.type) & ~quiet_mask; > + u16 denied = (1 << sa.aad.net.type); > > if (denied & kill_mask) > audit_type = AUDIT_APPARMOR_KILL; Acked-by: Andy Whitcroft <apw@canonical.com> -apw
On 09/04/13 12:33, John Johansen wrote: > The following changes since commit 985689ad1c3211f4f3a9ce0e2371847320ba873f: > > UBUNTU: Ubuntu-3.2.0-40.64 (2013-03-25 15:41:43 -0500) > > are available in the git repository at: > > git://kernel.ubuntu.com/jj/ubuntu-precise.git lp1163259 > > for you to fetch changes up to 3f9bb12a9458a3a90788838b7f1f2e15eaa53728: > > UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation (2013-04-09 02:47:47 -0700) > > ---------------------------------------------------------------- > John Johansen (1): > UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation > > security/apparmor/net.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > --- > > From 3f9bb12a9458a3a90788838b7f1f2e15eaa53728 Mon Sep 17 00:00:00 2001 > From: John Johansen <john.johansen@canonical.com> > Date: Fri, 29 Jun 2012 17:34:00 -0700 > Subject: [PATCH] UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for > network mediation > > This fixes a bug in the apparmor networking patch that is not upstream > because it is being replaced by a newer patch. > > BugLink: http://bugs.launchpad.net/bugs/1163259 > > If a profile specified a quieting of network denials for a given rule by > either the quiet or deny rule qualifiers, the resultant quiet mask for > denied requests was applied incorrectly, resulting in two potential bugs. > 1. The misapplied quiet mask would prevent denials from being correctly > tested against the kill mask/mode. Thus network access requests that > should have resulted in the application being killed did not. > > 2. The actual quieting of the denied network request was not being applied. > This would result in network rejections always being logged even when > they had been specifically marked as quieted. > > Signed-off-by: John Johansen <john.johansen@canonical.com> > --- > security/apparmor/net.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/apparmor/net.c b/security/apparmor/net.c > index 995817c..36befb4 100644 > --- a/security/apparmor/net.c > +++ b/security/apparmor/net.c > @@ -85,7 +85,7 @@ static int audit_net(struct aa_profile *profile, int op, u16 family, int type, > } else { > u16 quiet_mask = profile->net.quiet[sa.u.net.family]; > u16 kill_mask = 0; > - u16 denied = (1 << sa.aad.net.type) & ~quiet_mask; > + u16 denied = (1 << sa.aad.net.type); > > if (denied & kill_mask) > audit_type = AUDIT_APPARMOR_KILL; > Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/security/apparmor/net.c b/security/apparmor/net.c index 995817c..36befb4 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -85,7 +85,7 @@ static int audit_net(struct aa_profile *profile, int op, u16 family, int type, } else { u16 quiet_mask = profile->net.quiet[sa.u.net.family]; u16 kill_mask = 0; - u16 denied = (1 << sa.aad.net.type) & ~quiet_mask; + u16 denied = (1 << sa.aad.net.type); if (denied & kill_mask) audit_type = AUDIT_APPARMOR_KILL;