Blame patches.apparmor/apparmor-fix-resource-audit-messages-when-auditing-peer.patch
|
Goldwyn Rodrigues |
18e024 |
From: John Johansen <john.johansen@canonical.com>
|
|
Goldwyn Rodrigues |
18e024 |
Date: Fri Feb 9 04:57:39 2018 -0800
|
|
Goldwyn Rodrigues |
18e024 |
Subject: apparmor: fix resource audit messages when auditing peer
|
|
Borislav Petkov |
5e8c6b |
Patch-mainline: v4.17-rc1
|
|
Goldwyn Rodrigues |
18e024 |
Git-commit: b5beb07ad32ab533027aa988d96a44965ec116f7
|
|
Goldwyn Rodrigues |
18e024 |
References: bsc#1084839
|
|
Goldwyn Rodrigues |
18e024 |
|
|
Goldwyn Rodrigues |
18e024 |
Resource auditing is using the peer field which is not available
|
|
Goldwyn Rodrigues |
18e024 |
when the rlim data struct is used, because it is a different element
|
|
Goldwyn Rodrigues |
18e024 |
of the same union. Accessing peer during resource auditing could
|
|
Goldwyn Rodrigues |
18e024 |
cause garbage log entries or even oops the kernel.
|
|
Goldwyn Rodrigues |
18e024 |
|
|
Goldwyn Rodrigues |
18e024 |
Move the rlim data block into the same struct as the peer field
|
|
Goldwyn Rodrigues |
18e024 |
so they can be used together.
|
|
Goldwyn Rodrigues |
18e024 |
|
|
Goldwyn Rodrigues |
18e024 |
CC: <stable@vger.kernel.org>
|
|
Goldwyn Rodrigues |
18e024 |
Fixes: 86b92cb782b3 ("apparmor: move resource checks to using labels")
|
|
Goldwyn Rodrigues |
18e024 |
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
|
Goldwyn Rodrigues |
18e024 |
Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
|
Goldwyn Rodrigues |
18e024 |
|
|
Goldwyn Rodrigues |
18e024 |
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
|
|
Goldwyn Rodrigues |
18e024 |
index 4ac095118717..2ebc00a579fd 100644
|
|
Goldwyn Rodrigues |
18e024 |
--- a/security/apparmor/include/audit.h
|
|
Goldwyn Rodrigues |
18e024 |
+++ b/security/apparmor/include/audit.h
|
|
Goldwyn Rodrigues |
18e024 |
@@ -126,6 +126,10 @@ struct apparmor_audit_data {
|
|
Goldwyn Rodrigues |
18e024 |
const char *target;
|
|
Goldwyn Rodrigues |
18e024 |
kuid_t ouid;
|
|
Goldwyn Rodrigues |
18e024 |
} fs;
|
|
Goldwyn Rodrigues |
18e024 |
+ struct {
|
|
Goldwyn Rodrigues |
18e024 |
+ int rlim;
|
|
Goldwyn Rodrigues |
18e024 |
+ unsigned long max;
|
|
Goldwyn Rodrigues |
18e024 |
+ } rlim;
|
|
Goldwyn Rodrigues |
18e024 |
int signal;
|
|
Goldwyn Rodrigues |
18e024 |
};
|
|
Goldwyn Rodrigues |
18e024 |
};
|
|
Goldwyn Rodrigues |
18e024 |
@@ -134,10 +138,6 @@ struct apparmor_audit_data {
|
|
Goldwyn Rodrigues |
18e024 |
const char *ns;
|
|
Goldwyn Rodrigues |
18e024 |
long pos;
|
|
Goldwyn Rodrigues |
18e024 |
} iface;
|
|
Goldwyn Rodrigues |
18e024 |
- struct {
|
|
Goldwyn Rodrigues |
18e024 |
- int rlim;
|
|
Goldwyn Rodrigues |
18e024 |
- unsigned long max;
|
|
Goldwyn Rodrigues |
18e024 |
- } rlim;
|
|
Goldwyn Rodrigues |
18e024 |
struct {
|
|
Goldwyn Rodrigues |
18e024 |
const char *src_name;
|
|
Goldwyn Rodrigues |
18e024 |
const char *type;
|