apparmor: fix apparmor mediating locking non-fs unix sockets

the v8 and earlier policy does not encode the locking permission for no-fs unix sockets. However the kernel is enforcing mediation. Add the AA_MAY_LOCK perm to v8 and earlier computed perm mask which will grant permission for all current abi profiles, but still allow specifying auditing of the operation if needed. Link: http://bugs.launchpad.net/bugs/1780227Signed-off-by: John Johansen <john.johansen@canonical.com>

apparmor: fix apparmor mediating locking non-fs unix sockets
the v8 and earlier policy does not encode the locking permission for no-fs unix sockets. However the kernel is enforcing mediation. Add the AA_MAY_LOCK perm to v8 and earlier computed perm mask which will grant permission for all current abi profiles, but still allow specifying auditing of the operation if needed. Link: http://bugs.launchpad.net/bugs/1780227Signed-off-by: John Johansen <john.johansen@canonical.com>
1cf26c3d · John Johansen · 1b5a6198 · 1cf26c3d
Commit 1cf26c3d authored May 07, 2022 by John Johansen
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 4 deletions

security/apparmor/policy_unpack.c security/apparmor/policy_unpack.c +9 -4

No files found.
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -31,6 +31,7 @@
 #define K_ABI_MASK 0x3ff
 #define FORCE_COMPLAIN_FLAG 0x800
 #define VERSION_LT(X, Y) (((X) & K_ABI_MASK) < ((Y) & K_ABI_MASK))
+#define VERSION_LE(X, Y) (((X) & K_ABI_MASK) <= ((Y) & K_ABI_MASK))
 #define VERSION_GT(X, Y) (((X) & K_ABI_MASK) > ((Y) & K_ABI_MASK))
 #define v5	5	/* base version */
@@ -796,7 +797,8 @@ static u32 map_other(u32 x)
 }
 static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
-					   aa_state_t state)
+					   aa_state_t state,
+					   u32 version)
 {
 	struct aa_perms perms = { };
@@ -809,13 +811,15 @@ static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
 	 */
 	perms.allow |= map_other(dfa_other_allow(dfa, state));
+	if (VERSION_LE(version, v8))
+		perms.allow |= AA_MAY_LOCK;
 	perms.audit |= map_other(dfa_other_audit(dfa, state));
 	perms.quiet |= map_other(dfa_other_quiet(dfa, state));
 	return perms;
 }
-static struct aa_perms *compute_perms(struct aa_dfa *dfa)
+static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version)
 {
 	unsigned int state;
 	unsigned int state_count;
@@ -831,7 +835,7 @@ static struct aa_perms *compute_perms(struct aa_dfa *dfa)
 	/* zero init so skip the trap state (state == 0) */
 	for (state = 1; state < state_count; state++)
-		table[state] = compute_perms_entry(dfa, state);
+		table[state] = compute_perms_entry(dfa, state, version);
 	return table;
 }
@@ -1055,7 +1059,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 		}
 		if (!unpack_nameX(e, AA_STRUCTEND, NULL))
 			goto fail;
-		profile->policy.perms = compute_perms(profile->policy.dfa);
+		profile->policy.perms = compute_perms(profile->policy.dfa,
+						      e->version);
 		if (!profile->policy.perms) {
 			info = "failed to remap policydb permission table";
 			goto fail;