From patchwork Tue Feb 4 15:16:44 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 316607 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id CE53F2C009A for ; Wed, 5 Feb 2014 02:17:19 +1100 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1WAhkN-0005jB-Cr; Tue, 04 Feb 2014 15:17:11 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1WAhkI-0005j0-8v for kernel-team@lists.ubuntu.com; Tue, 04 Feb 2014 15:17:06 +0000 Received: from [205.204.31.2] (helo=[10.155.255.142]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1WAhkI-00089U-3b for kernel-team@lists.ubuntu.com; Tue, 04 Feb 2014 15:17:06 +0000 Message-ID: <52F1045C.4090301@canonical.com> Date: Tue, 04 Feb 2014 10:16:44 -0500 From: John Johansen Organization: Canonical User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Kernel team list Subject: [Patch][Trusty] Add config option to disable new apparmor 3 semantics X-Enigmail-Version: 1.5.2 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This patch removes the need to patch apparmor for the lts-backport kernels by adding a config option. The patch could also be applied to saucy to remove the current revert in the lts-backport-saucy kernel. The config option should be set as follows trusty: Y lts-backport-trusty: N --- From 96d3f12c6aa38dab3bb00bbc3150344c6b42a651 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 3 Feb 2014 11:38:47 -0500 Subject: [PATCH] UBUNTU: SAUCE: Add config option to disable new apparmor 3 semantics http://bugs.launchpad.net/bugs/1270215 Precise policy was not setup to deal with mediation of unix domain sockets at connection, as such this patch causes policy failures on precise. This bug could be fixed by updating policy but that would still cause custom policy to break, so as with lts-saucy this feature should be removed for lts-trusty on precise. Signed-off-by: John Johansen --- security/apparmor/Kconfig | 10 ++++++++++ security/apparmor/lsm.c | 2 ++ 2 files changed, 12 insertions(+) diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig index a738fee..119f0f0 100644 --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig @@ -76,3 +76,13 @@ config SECURITY_APPARMOR_HASH This option selects whether sha1 hashing is done against loaded profiles and exported for inspection to user space via the apparmor filesystem. + +config SECURITY_APPARMOR_AA3_SEMANTICS + bool "AppArmor3 semantics" + depends on SECURITY_APPARMOR + default y + help + This option enables semantic changes in apparmor 3 that affect + policy developed for an apparmor 2.8 system. If enabled + apparmor 2.8 policy may need to be updated when used with an + apparmor 3 enabled kernel. diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index b83e92b..c4015cd 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -793,6 +793,7 @@ do { \ static int unix_fs_perm(int op, struct aa_label *label, struct sock *sk, u32 mask) { +#ifndef CONFIG_APPARMOR_AA3_SEMANTICS if (!unconfined(label) && UNIX_FS(sk)) { struct unix_sock *u = unix_sk(sk); @@ -803,6 +804,7 @@ static int unix_fs_perm(int op, struct aa_label *label, struct sock *sk, return aa_path_perm(op, label, &u->path, 0, mask, &cond); } +#endif return 0; }