On 08/07/2010 04:50 AM, Dan Carpenter wrote:
> If we have a ns name without a following profile then in the original
> code it did "*ns_name = &name[1];". "name" is NULL so "*ns_name" is
> 0x1. That isn't useful and could cause an oops when this function is
> called from aa_remove_profiles().
>
> Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
Indeed. I am sorry to say this case was not enabled in the test suite :(
However proposed patch is incorrect, in that it results in namespace
name that starts at &name[1].
I've attached two patches, the first fixes this issue, and the second
fixes a locking bug in namespace removal, for this case (ie. where
there is no profile name specified.
Thanks for catching this
John
>From 07abf5de857614c13449031b9ac9e06c8efb7765 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Mon, 9 Aug 2010 08:53:51 -0400
Subject: [PATCH 1/2] AppArmor: Fix splitting an fqname into separate namespace and profile names
As per Dan Carpenter <error27@xxxxxxxxx>
If we have a ns name without a following profile then in the original
code it did "*ns_name = &name[1];". "name" is NULL so "*ns_name" is
0x1. That isn't useful and could cause an oops when this function is
called from aa_remove_profiles().
Beyond this the assignment of the namespace name was wrong in the case
where the profile name was provided as it was being set to &name[1]
after name = skip_spaces(split + 1);
Move the ns_name assignment before updating name for the split and
also add skip_spaces, making the interface more robust.
Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
---
security/apparmor/lib.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 6e85cdb..506d2ba 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -40,6 +40,7 @@ char *aa_split_fqname(char *fqname, char **ns_name)
*ns_name = NULL;
if (name[0] == ':') {
char *split = strchr(&name[1], ':');
+ *ns_name = skip_spaces(&name[1]);
if (split) {
/* overwrite ':' with \0 */
*split = 0;
@@ -47,7 +48,6 @@ char *aa_split_fqname(char *fqname, char **ns_name)
} else
/* a ns name without a following profile is allowed */
name = NULL;
- *ns_name = &name[1];
}
if (name && *name == 0)
name = NULL;
--
1.7.1
>From 8109a95a05dd6e5349e43a2a6bb7149565cc886e Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Thu, 12 Aug 2010 07:49:12 -0400
Subject: [PATCH 2/2] AppArmor: Fix locking from removal of profile namespace
The locking for profile namespace removal is wrong, when removing a
profile namespace, it needs to be removed from its parent's list.
Lock the parent of namespace list instead of the namespace being removed.
Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
---
security/apparmor/policy.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 3cdc1ad..52cc865 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1151,12 +1151,14 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
/* released below */
ns = aa_get_namespace(root);
- write_lock(&ns->lock);
if (!name) {
/* remove namespace - can only happen if fqname[0] == ':' */
+ write_lock(&ns->parent->lock);
__remove_namespace(ns);
+ write_unlock(&ns->parent->lock);
} else {
/* remove profile */
+ write_lock(&ns->lock);
profile = aa_get_profile(__lookup_profile(&ns->base, name));
if (!profile) {
error = -ENOENT;
@@ -1165,8 +1167,8 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
}
name = profile->base.hname;
__remove_profile(profile);
+ write_unlock(&ns->lock);
}
- write_unlock(&ns->lock);
/* don't fail removal if audit fails */
(void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);
--
1.7.1
