On 08/07/2010 04:50 AM, Dan Carpenter wrote: > If we have a ns name without a following profile then in the original > code it did "*ns_name = &name[1];". "name" is NULL so "*ns_name" is > 0x1. That isn't useful and could cause an oops when this function is > called from aa_remove_profiles(). > > Signed-off-by: Dan Carpenter <error27@xxxxxxxxx> Indeed. I am sorry to say this case was not enabled in the test suite :( However proposed patch is incorrect, in that it results in namespace name that starts at &name[1]. I've attached two patches, the first fixes this issue, and the second fixes a locking bug in namespace removal, for this case (ie. where there is no profile name specified. Thanks for catching this John
>From 07abf5de857614c13449031b9ac9e06c8efb7765 Mon Sep 17 00:00:00 2001 From: John Johansen <john.johansen@xxxxxxxxxxxxx> Date: Mon, 9 Aug 2010 08:53:51 -0400 Subject: [PATCH 1/2] AppArmor: Fix splitting an fqname into separate namespace and profile names As per Dan Carpenter <error27@xxxxxxxxx> If we have a ns name without a following profile then in the original code it did "*ns_name = &name[1];". "name" is NULL so "*ns_name" is 0x1. That isn't useful and could cause an oops when this function is called from aa_remove_profiles(). Beyond this the assignment of the namespace name was wrong in the case where the profile name was provided as it was being set to &name[1] after name = skip_spaces(split + 1); Move the ns_name assignment before updating name for the split and also add skip_spaces, making the interface more robust. Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx> --- security/apparmor/lib.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c index 6e85cdb..506d2ba 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c @@ -40,6 +40,7 @@ char *aa_split_fqname(char *fqname, char **ns_name) *ns_name = NULL; if (name[0] == ':') { char *split = strchr(&name[1], ':'); + *ns_name = skip_spaces(&name[1]); if (split) { /* overwrite ':' with \0 */ *split = 0; @@ -47,7 +48,6 @@ char *aa_split_fqname(char *fqname, char **ns_name) } else /* a ns name without a following profile is allowed */ name = NULL; - *ns_name = &name[1]; } if (name && *name == 0) name = NULL; -- 1.7.1
>From 8109a95a05dd6e5349e43a2a6bb7149565cc886e Mon Sep 17 00:00:00 2001 From: John Johansen <john.johansen@xxxxxxxxxxxxx> Date: Thu, 12 Aug 2010 07:49:12 -0400 Subject: [PATCH 2/2] AppArmor: Fix locking from removal of profile namespace The locking for profile namespace removal is wrong, when removing a profile namespace, it needs to be removed from its parent's list. Lock the parent of namespace list instead of the namespace being removed. Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx> --- security/apparmor/policy.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 3cdc1ad..52cc865 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -1151,12 +1151,14 @@ ssize_t aa_remove_profiles(char *fqname, size_t size) /* released below */ ns = aa_get_namespace(root); - write_lock(&ns->lock); if (!name) { /* remove namespace - can only happen if fqname[0] == ':' */ + write_lock(&ns->parent->lock); __remove_namespace(ns); + write_unlock(&ns->parent->lock); } else { /* remove profile */ + write_lock(&ns->lock); profile = aa_get_profile(__lookup_profile(&ns->base, name)); if (!profile) { error = -ENOENT; @@ -1165,8 +1167,8 @@ ssize_t aa_remove_profiles(char *fqname, size_t size) } name = profile->base.hname; __remove_profile(profile); + write_unlock(&ns->lock); } - write_unlock(&ns->lock); /* don't fail removal if audit fails */ (void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error); -- 1.7.1