[pve-devel] applied: [PATCH kernel] add apparmor socket mediation fix

Mon Jul 30 12:26:12 CEST 2018

> On July 30, 2018 at 11:51 AM Thomas Lamprecht <t.lamprecht at proxmox.com> wrote:
> 
> 
> Am 07/30/2018 um 09:26 AM schrieb Wolfgang Bumiller:
> > Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227
> > Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> > ---
> > This fixes unix socket locking issues newer systemd versons run into on
> > eg. arch or fedora containers.
> > 
> >   ...E-apparmor-fix-apparmor-mediating-locking.patch | 36 ++++++++++++++++++++++
> >   1 file changed, 36 insertions(+)
> >   create mode 100644 patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch
> > 
> > diff --git a/patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch b/patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch
> > new file mode 100644
> > index 0000000..23c1c50
> > --- /dev/null
> > +++ b/patches/kernel/0010-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch
> > @@ -0,0 +1,36 @@
> > +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> > +From: John Johansen <john.johansen at canonical.com>
> > +Date: Fri, 27 Jul 2018 14:27:05 -0700
> > +Subject: [PATCH] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs
> > + unix sockets
> > +
> > +the apparmor policy language current does not allow expressing of the
> > +locking permission for no-fs unix sockets. However the kernel is
> > +enforcing mediation.
> > +
> > +Add the AA_MAY_LOCK perm to the computed perm mask which will grant
> > +permission for all current abi profiles, but still allow specifying
> > +auditing of the operation if needed.
> > +
> > +http://bugs.launchpad.net/bugs/1780227
> > +Signed-off-by: John Johansen <john.johansen at canonical.com>
> > +---
> > + security/apparmor/lib.c | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
> > +index a7b3f681b80e..eafad30a78d7 100644
> > +--- a/security/apparmor/lib.c
> > ++++ b/security/apparmor/lib.c
> > +@@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
> > + 	/* for v5 perm mapping in the policydb, the other set is used
> > + 	 * to extend the general perm set
> > + 	 */
> > +-	perms->allow |= map_other(dfa_other_allow(dfa, state));
> > ++	perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
> > + 	perms->audit |= map_other(dfa_other_audit(dfa, state));
> > + 	perms->quiet |= map_other(dfa_other_quiet(dfa, state));
> > + //	perms->xindex = dfa_user_xindex(dfa, state);
> > +--
> > +2.17.1
> > +
> > 
> 
> applied, would you like to bump now with this or would it be OK to wait
> for the next stable kernel update?

Our users with Arch/Fedora containers would definitely prefer an
early bump ;-) Not sure how long it usually takes for this to get in.
It's marked as critical on launchpad.