This is a note to let you know that I've just added the patch titled
apparmor: fix absroot causing audited secids to begin with =
to the 5.19-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch
and it can be found in the queue-5.19 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 511f7b5b835726e844a5fc7444c18e4b8672edfd Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Tue, 14 Dec 2021 02:59:28 -0800
Subject: apparmor: fix absroot causing audited secids to begin with =
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
commit 511f7b5b835726e844a5fc7444c18e4b8672edfd upstream.
AppArmor is prefixing secids that are converted to secctx with the =
to indicate the secctx should only be parsed from an absolute root
POV. This allows catching errors where secctx are reparsed back into
internal labels.
Unfortunately because audit is using secid to secctx conversion this
means that subject and object labels can result in a very unfortunate
== that can break audit parsing.
eg. the subj==unconfined term in the below audit message
type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'
Fix this by switch the prepending of = to a _. This still works as a
special character to flag this case without breaking audit. Also move
this check behind debug as it should not be needed during normal
operqation.
Fixes: 26b7899510ae ("apparmor: add support for absolute root view based labels")
Reported-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
security/apparmor/include/lib.h | 5 +++++
security/apparmor/label.c | 7 ++++---
2 files changed, 9 insertions(+), 3 deletions(-)
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -22,6 +22,11 @@
*/
#define DEBUG_ON (aa_g_debug)
+/*
+ * split individual debug cases out in preparation for finer grained
+ * debug controls in the future.
+ */
+#define AA_DEBUG_LABEL DEBUG_ON
#define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args)
#define AA_DEBUG(fmt, args...) \
do { \
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1631,9 +1631,9 @@ int aa_label_snxprint(char *str, size_t
AA_BUG(!str && size != 0);
AA_BUG(!label);
- if (flags & FLAG_ABS_ROOT) {
+ if (AA_DEBUG_LABEL && (flags & FLAG_ABS_ROOT)) {
ns = root_ns;
- len = snprintf(str, size, "=");
+ len = snprintf(str, size, "_");
update_for_len(total, len, size, str);
} else if (!ns) {
ns = labels_ns(label);
@@ -1895,7 +1895,8 @@ struct aa_label *aa_label_strn_parse(str
AA_BUG(!str);
str = skipn_spaces(str, n);
- if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label))
+ if (str == NULL || (AA_DEBUG_LABEL && *str == '_' &&
+ base != &root_ns->unconfined->label))
return ERR_PTR(-EINVAL);
len = label_count_strn_entries(str, end - str);
Patches currently in stable-queue which might be from john.johansen@xxxxxxxxxxxxx are
queue-5.19/apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch
queue-5.19/apparmor-fix-memleak-in-aa_simple_write_to_buffer.patch
queue-5.19/apparmor-fix-setting-unconfined-mode-on-a-loaded-profile.patch
queue-5.19/apparmor-fix-quiet_denied-for-file-rules.patch
queue-5.19/apparmor-fix-aa_label_asxprint-return-check.patch
queue-5.19/apparmor-fix-overlapping-attachment-computation.patch
queue-5.19/apparmor-fix-reference-count-leak-in-aa_pivotroot.patch
queue-5.19/apparmor-fix-failed-mount-permission-check-error-message.patch
