This is a note to let you know that I've just added the patch titled
apparmor: fix setting unconfined mode on a loaded profile
to the 5.19-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
apparmor-fix-setting-unconfined-mode-on-a-loaded-profile.patch
and it can be found in the queue-5.19 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 3bbb7b2e9bbcd22e539e23034da753898fe3b4dc Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Sat, 26 Mar 2022 01:52:06 -0700
Subject: apparmor: fix setting unconfined mode on a loaded profile
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
commit 3bbb7b2e9bbcd22e539e23034da753898fe3b4dc upstream.
When loading a profile that is set to unconfined mode, that label
flag is not set when it should be. Ensure it is set so that when
used in a label the unconfined check will be applied correctly.
Fixes: 038165070aa5 ("apparmor: allow setting any profile into the unconfined state")
Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
security/apparmor/policy_unpack.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -746,16 +746,18 @@ static struct aa_profile *unpack_profile
profile->label.flags |= FLAG_HAT;
if (!unpack_u32(e, &tmp, NULL))
goto fail;
- if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG))
+ if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {
profile->mode = APPARMOR_COMPLAIN;
- else if (tmp == PACKED_MODE_ENFORCE)
+ } else if (tmp == PACKED_MODE_ENFORCE) {
profile->mode = APPARMOR_ENFORCE;
- else if (tmp == PACKED_MODE_KILL)
+ } else if (tmp == PACKED_MODE_KILL) {
profile->mode = APPARMOR_KILL;
- else if (tmp == PACKED_MODE_UNCONFINED)
+ } else if (tmp == PACKED_MODE_UNCONFINED) {
profile->mode = APPARMOR_UNCONFINED;
- else
+ profile->label.flags |= FLAG_UNCONFINED;
+ } else {
goto fail;
+ }
if (!unpack_u32(e, &tmp, NULL))
goto fail;
if (tmp)
Patches currently in stable-queue which might be from john.johansen@xxxxxxxxxxxxx are
queue-5.19/apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch
queue-5.19/apparmor-fix-memleak-in-aa_simple_write_to_buffer.patch
queue-5.19/apparmor-fix-setting-unconfined-mode-on-a-loaded-profile.patch
queue-5.19/apparmor-fix-quiet_denied-for-file-rules.patch
queue-5.19/apparmor-fix-aa_label_asxprint-return-check.patch
queue-5.19/apparmor-fix-overlapping-attachment-computation.patch
queue-5.19/apparmor-fix-reference-count-leak-in-aa_pivotroot.patch
queue-5.19/apparmor-fix-failed-mount-permission-check-error-message.patch
