This is a note to let you know that I've just added the patch titled
apparmor: fix: kzalloc perms tables for shared dfas
to the 6.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
apparmor-fix-kzalloc-perms-tables-for-shared-dfas.patch
and it can be found in the queue-6.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From ec6851ae0ab4587e610e260ddda75f92f3389f91 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Sat, 15 Apr 2023 00:50:32 -0700
Subject: apparmor: fix: kzalloc perms tables for shared dfas
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
commit ec6851ae0ab4587e610e260ddda75f92f3389f91 upstream.
Currently the permstables of the shared dfas are not shared, and need
to be allocated and copied. In the future this should be addressed
with a larger rework on dfa and pdb ref counts and structure sharing.
BugLink: http://bugs.launchpad.net/bugs/2017903
Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
Reviewed-by: Jon Tourville <jontourville@xxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
security/apparmor/policy.c | 13 +++++++++++++
security/apparmor/policy_unpack.c | 26 ++++++++++++++++++++++----
2 files changed, 35 insertions(+), 4 deletions(-)
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -591,7 +591,15 @@ struct aa_profile *aa_alloc_null(struct
profile->label.flags |= FLAG_NULL;
rules = list_first_entry(&profile->rules, typeof(*rules), list);
rules->file.dfa = aa_get_dfa(nulldfa);
+ rules->file.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
+ if (!rules->file.perms)
+ goto fail;
+ rules->file.size = 2;
rules->policy.dfa = aa_get_dfa(nulldfa);
+ rules->policy.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
+ if (!rules->policy.perms)
+ goto fail;
+ rules->policy.size = 2;
if (parent) {
profile->path_flags = parent->path_flags;
@@ -602,6 +610,11 @@ struct aa_profile *aa_alloc_null(struct
}
return profile;
+
+fail:
+ aa_free_profile(profile);
+
+ return NULL;
}
/**
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -988,9 +988,14 @@ static struct aa_profile *unpack_profile
info = "failed to remap policydb permission table";
goto fail;
}
- } else
+ } else {
rules->policy.dfa = aa_get_dfa(nulldfa);
-
+ rules->policy.perms = kcalloc(2, sizeof(struct aa_perms),
+ GFP_KERNEL);
+ if (!rules->policy.perms)
+ goto fail;
+ rules->policy.size = 2;
+ }
/* get file rules */
error = unpack_pdb(e, &rules->file, false, true, &info);
if (error) {
@@ -1005,9 +1010,22 @@ static struct aa_profile *unpack_profile
rules->policy.start[AA_CLASS_FILE]) {
rules->file.dfa = aa_get_dfa(rules->policy.dfa);
rules->file.start[AA_CLASS_FILE] = rules->policy.start[AA_CLASS_FILE];
- } else
+ rules->file.perms = kcalloc(rules->policy.size,
+ sizeof(struct aa_perms),
+ GFP_KERNEL);
+ if (!rules->file.perms)
+ goto fail;
+ memcpy(rules->file.perms, rules->policy.perms,
+ rules->policy.size * sizeof(struct aa_perms));
+ rules->file.size = rules->policy.size;
+ } else {
rules->file.dfa = aa_get_dfa(nulldfa);
-
+ rules->file.perms = kcalloc(2, sizeof(struct aa_perms),
+ GFP_KERNEL);
+ if (!rules->file.perms)
+ goto fail;
+ rules->file.size = 2;
+ }
error = -EPROTO;
if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
info = "out of memory";
Patches currently in stable-queue which might be from john.johansen@xxxxxxxxxxxxx are
queue-6.4/apparmor-fix-kzalloc-perms-tables-for-shared-dfas.patch
