This is a note to let you know that I've just added the patch titled apparmor: fix absroot causing audited secids to begin with = to the 5.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch and it can be found in the queue-5.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 511f7b5b835726e844a5fc7444c18e4b8672edfd Mon Sep 17 00:00:00 2001 From: John Johansen <john.johansen@xxxxxxxxxxxxx> Date: Tue, 14 Dec 2021 02:59:28 -0800 Subject: apparmor: fix absroot causing audited secids to begin with = From: John Johansen <john.johansen@xxxxxxxxxxxxx> commit 511f7b5b835726e844a5fc7444c18e4b8672edfd upstream. AppArmor is prefixing secids that are converted to secctx with the = to indicate the secctx should only be parsed from an absolute root POV. This allows catching errors where secctx are reparsed back into internal labels. Unfortunately because audit is using secid to secctx conversion this means that subject and object labels can result in a very unfortunate == that can break audit parsing. eg. the subj==unconfined term in the below audit message type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000 ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success' Fix this by switch the prepending of = to a _. This still works as a special character to flag this case without breaking audit. Also move this check behind debug as it should not be needed during normal operqation. Fixes: 26b7899510ae ("apparmor: add support for absolute root view based labels") Reported-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- security/apparmor/include/lib.h | 5 +++++ security/apparmor/label.c | 7 ++++--- 2 files changed, 9 insertions(+), 3 deletions(-) --- a/security/apparmor/include/lib.h +++ b/security/apparmor/include/lib.h @@ -22,6 +22,11 @@ */ #define DEBUG_ON (aa_g_debug) +/* + * split individual debug cases out in preparation for finer grained + * debug controls in the future. + */ +#define AA_DEBUG_LABEL DEBUG_ON #define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args) #define AA_DEBUG(fmt, args...) \ do { \ --- a/security/apparmor/label.c +++ b/security/apparmor/label.c @@ -1631,9 +1631,9 @@ int aa_label_snxprint(char *str, size_t AA_BUG(!str && size != 0); AA_BUG(!label); - if (flags & FLAG_ABS_ROOT) { + if (AA_DEBUG_LABEL && (flags & FLAG_ABS_ROOT)) { ns = root_ns; - len = snprintf(str, size, "="); + len = snprintf(str, size, "_"); update_for_len(total, len, size, str); } else if (!ns) { ns = labels_ns(label); @@ -1895,7 +1895,8 @@ struct aa_label *aa_label_strn_parse(str AA_BUG(!str); str = skipn_spaces(str, n); - if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label)) + if (str == NULL || (AA_DEBUG_LABEL && *str == '_' && + base != &root_ns->unconfined->label)) return ERR_PTR(-EINVAL); len = label_count_strn_entries(str, end - str); Patches currently in stable-queue which might be from john.johansen@xxxxxxxxxxxxx are queue-5.19/apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch queue-5.19/apparmor-fix-memleak-in-aa_simple_write_to_buffer.patch queue-5.19/apparmor-fix-setting-unconfined-mode-on-a-loaded-profile.patch queue-5.19/apparmor-fix-quiet_denied-for-file-rules.patch queue-5.19/apparmor-fix-aa_label_asxprint-return-check.patch queue-5.19/apparmor-fix-overlapping-attachment-computation.patch queue-5.19/apparmor-fix-reference-count-leak-in-aa_pivotroot.patch queue-5.19/apparmor-fix-failed-mount-permission-check-error-message.patch