Patch "apparmor: Fix regression in stacking due to label flags" has been added to the 6.0-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 25 Dec 2022 09:22:12 -0500

This is a note to let you know that I've just added the patch titled

    apparmor: Fix regression in stacking due to label flags

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     apparmor-fix-regression-in-stacking-due-to-label-fla.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 6a5bc45d0ef1a5bcfad8cd1fa77167dd38fb2bf0
Author: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date:   Tue Sep 20 04:01:28 2022 -0700

    apparmor: Fix regression in stacking due to label flags
    
    [ Upstream commit 1f939c6bd1512d0b39b470396740added3cb403f ]
    
    The unconfined label flag is not being computed correctly. It
    should only be set if all the profiles in the vector are set, which
    is different than what is required for the debug and stale flag
    that are set if any on the profile flags are set.
    
    Fixes: c1ed5da19765 ("apparmor: allow label to carry debug flags")
    Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index 0f36ee907438..a67c5897ee25 100644
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -197,15 +197,18 @@ static bool vec_is_stale(struct aa_profile **vec, int n)
 	return false;
 }
 
-static long union_vec_flags(struct aa_profile **vec, int n, long mask)
+static long accum_vec_flags(struct aa_profile **vec, int n)
 {
-	long u = 0;
+	long u = FLAG_UNCONFINED;
 	int i;
 
 	AA_BUG(!vec);
 
 	for (i = 0; i < n; i++) {
-		u |= vec[i]->label.flags & mask;
+		u |= vec[i]->label.flags & (FLAG_DEBUG1 | FLAG_DEBUG2 |
+					    FLAG_STALE);
+		if (!(u & vec[i]->label.flags & FLAG_UNCONFINED))
+			u &= ~FLAG_UNCONFINED;
 	}
 
 	return u;
@@ -1097,8 +1100,7 @@ static struct aa_label *label_merge_insert(struct aa_label *new,
 		else if (k == b->size)
 			return aa_get_label(b);
 	}
-	new->flags |= union_vec_flags(new->vec, new->size, FLAG_UNCONFINED |
-					      FLAG_DEBUG1 | FLAG_DEBUG2);
+	new->flags |= accum_vec_flags(new->vec, new->size);
 	ls = labels_set(new);
 	write_lock_irqsave(&ls->lock, flags);
 	label = __label_insert(labels_set(new), new, false);






