Patch "apparmor: Fix abi check to include v8 abi" has been added to the 4.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 25 Dec 2022 11:43:06 -0500

This is a note to let you know that I've just added the patch titled

    apparmor: Fix abi check to include v8 abi

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     apparmor-fix-abi-check-to-include-v8-abi.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit c44baad2e9111dadbca3f793be365cfcd152b35c
Author: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date:   Fri May 6 18:57:12 2022 -0700

    apparmor: Fix abi check to include v8 abi
    
    [ Upstream commit 1b5a6198f5a9d0aa5497da0dc4bcd4fc166ee516 ]
    
    The v8 abi is supported by the kernel but the userspace supported
    version check does not allow for it. This was missed when v8 was added
    due to a bug in the userspace compiler which was setting an older abi
    version for v8 encoding (which is forward compatible except on the
    network encoding). However it is possible to detect the network
    encoding by checking the policydb network support which the code
    does. The end result was that missing the abi flag worked until
    userspace was fixed and began correctly checking for the v8 abi
    version.
    
    Fixes: 56974a6fcfef ("apparmor: add base infastructure for socket mediation")
    Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 612f737cee83..41da5ccc3f3e 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -892,7 +892,7 @@ static int verify_header(struct aa_ext *e, int required, const char **ns)
 	 * if not specified use previous version
 	 * Mask off everything that is not kernel abi version
 	 */
-	if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v7)) {
+	if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v8)) {
 		audit_iface(NULL, NULL, NULL, "unsupported interface version",
 			    e, error);
 		return error;






