Bug#1050256: AppArmor breaks locking non-fs Unix sockets
On 12/30/23 20:24, Mathias Gibbens wrote: On Sat, 2023-12-30 at 16:44 +0100, Salvatore Bonaccorso wrote: John, did you had a chance to work on this backport for 6.1.y stable upstream so we could pick it downstream in Debian in one of the next stable imports? Cherry-picking 1cf26c3d2c4c ("apparmor: fix apparmor mediating locking non-fs unix sockets") does not work, if not havinging the work around e2967ede2297 ("apparmor: compute policydb permission on profile load") AFAICS, so that needs a 6.1.y specific backport submitted to sta...@vger.kernel.org ? I think we could have people from this bug as well providing a Tested-by when necessary. I'm not feeling confident enough to be able to provide myself such a patch to sent to stable (and you only giving an Acked-by/Reviewed-by), so if you can help out here with your upstream hat on that would be more than appreciated and welcome :) Thanks a lot for your work! I played around with this a bit the past week as well, and came to the same conclusion as Salvatore did that commits e2967ede2297 and 1cf26c3d2c4c need to be cherry-picked back to the 6.1 stable tree. I've attached the two commits rebased onto 6.1.y as patches to this message. Commit e2967ede2297 needed a little bit of touchup to apply cleanly, and 1cf26c3d2c4c just needed adjustments for line number changes. I included some comments at the top of each patch. With these two commits cherry-picked on top of the 6.1.69 kernel, I can boot a bookworm system and successfully start a service within a container that utilizes `PrivateNetwork=yes`. Rebooting back into an unpatched vanilla 6.1.69 kernel continues to show the problem. While I didn't see any immediate issues (ie, `aa-status` and log files looked OK), I don't understand the changes in the first commit well enough to be confident in sending these patches for inclusion in the upstream stable tree on my own. Mathias Your backports look good to me, and you can stick my acked-by on them. The changes are strictly more than necessary for the fix. They are part of a larger change set that is trying to cleanup the runtime code by changing the permission mapping from a runtime operation to something that is done only at policy load/unpack time. The advantage of this approach is that while it is a larger change than strictly necessary. It is backporting patches that are already upstream, keep the code closer and making backports easier. Georgia did a minimal backport fix by keeping the version as part of policy and doing the permission mapping at runtime. I have included that patch below. Its advantage is it is a minimal change to fix the issue. I am happy with either version going into stable. Do you want to send them or do you want me to do it? Acked-by: John Johansen From d716d8e6e8b6dc2fa1db2e72ee95c721aef12064 Mon Sep 17 00:00:00 2001 From: Georgia Garcia Date: Tue, 9 Jan 2024 17:54:52 -0300 Subject: [PATCH] apparmor: backport fix apparmor mediating locking non-fs, unix sockets This is a minimal backport of 1cf26c3d2c4c apparmor: fix apparmor mediating locking non-fs unix sockets instead of pulling in the dependency patch e2967ede2297 apparmor: compute policydb permission on profile load which moves the permission mapping to unpack time. We push the version information into the profile so the permission mapping fix can be done in the run time aa_compute_perms() instead of the load time equivalent in compute_perms_entry() introduced by e2967ede2297. Signed-off-by: Georgia Garcia Acked-by: John Johansen --- security/apparmor/apparmorfs.c | 3 ++- security/apparmor/include/perms.h | 2 +- security/apparmor/include/policy.h | 12 security/apparmor/label.c | 9 ++--- security/apparmor/lib.c| 4 +++- security/apparmor/net.c| 3 ++- security/apparmor/policy_unpack.c | 11 +-- 7 files changed, 27 insertions(+), 17 deletions(-) diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 7160e7aa58b9..8131c9345900 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -633,7 +633,8 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms, state = aa_dfa_match_len(dfa, profile->policy.start[0], match_str, match_len); if (state) - aa_compute_perms(dfa, state, ); + aa_compute_perms(dfa, state, , + profile->policy.version); } aa_apply_modes_to_perms(profile, ); aa_perms_accum_raw(perms, ); diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h index 13f20c598448..7d5c0c004978 100644 --- a/security/apparmor/include/perms.h +++ b/security/apparmor/include/perms.h @@ -142,7 +142,7 @@ void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs, void aa_apply_modes_to_perms(struct aa_profile *profile, struct aa_perms *perms); void aa_compute_perms(struct aa_dfa *dfa, unsigned int state
Bug#1050256: AppArmor breaks locking non-fs Unix sockets
On 1/27/24 01:21, Salvatore Bonaccorso wrote: Hi John, On Sun, Dec 31, 2023 at 04:24:47AM +, Mathias Gibbens wrote: On Sat, 2023-12-30 at 16:44 +0100, Salvatore Bonaccorso wrote: John, did you had a chance to work on this backport for 6.1.y stable upstream so we could pick it downstream in Debian in one of the next stable imports? Cherry-picking 1cf26c3d2c4c ("apparmor: fix apparmor mediating locking non-fs unix sockets") does not work, if not havinging the work around e2967ede2297 ("apparmor: compute policydb permission on profile load") AFAICS, so that needs a 6.1.y specific backport submitted to sta...@vger.kernel.org ? I think we could have people from this bug as well providing a Tested-by when necessary. I'm not feeling confident enough to be able to provide myself such a patch to sent to stable (and you only giving an Acked-by/Reviewed-by), so if you can help out here with your upstream hat on that would be more than appreciated and welcome :) Thanks a lot for your work! I played around with this a bit the past week as well, and came to the same conclusion as Salvatore did that commits e2967ede2297 and 1cf26c3d2c4c need to be cherry-picked back to the 6.1 stable tree. I've attached the two commits rebased onto 6.1.y as patches to this message. Commit e2967ede2297 needed a little bit of touchup to apply cleanly, and 1cf26c3d2c4c just needed adjustments for line number changes. I included some comments at the top of each patch. With these two commits cherry-picked on top of the 6.1.69 kernel, I can boot a bookworm system and successfully start a service within a container that utilizes `PrivateNetwork=yes`. Rebooting back into an unpatched vanilla 6.1.69 kernel continues to show the problem. While I didn't see any immediate issues (ie, `aa-status` and log files looked OK), I don't understand the changes in the first commit well enough to be confident in sending these patches for inclusion in the upstream stable tree on my own. Do you had a chance to look at this for 6.1.y upstream? Asking/Poking since the point release dates are now clear: https://lists.debian.org/debian-security/2024/01/msg5.html if possible I would like to include those fixes, but only if they are at least queued fror 6.1.y itself to not diverge from upstream. Otherwise we will wait another round, but which means usually 2 months for the point release cadence. I am looking at it right now, I should be done with it today
Bug#963493: Repeatable hard lockup running strace testsuite on 4.19.98+ onwards
On 6/26/20 9:50 AM, Steve McIntyre wrote: > Hi Jann, > > On Fri, Jun 26, 2020 at 04:25:59PM +0200, Jann Horn wrote: >> On Fri, Jun 26, 2020 at 3:41 PM Greg KH wrote: >>> On Fri, Jun 26, 2020 at 12:35:58PM +0100, Steve McIntyre wrote: > > ... > Considering I'm running strace build tests to provoke this bug, finding the failure in a commit talking about ptrace changes does look very suspicious...! Annoyingly, I can't reproduce this on my disparate other machines here, suggesting it's maybe(?) timing related. >> >> Does "hard lockup" mean that the HARDLOCKUP_DETECTOR infrastructure >> prints a warning to dmesg? If so, can you share that warning? > > I mean the machine locks hard - X stops updating, the mouse/keyboard > stop responding. No pings, etc. When I reboot, there's nothing in the > logs. > >> If you don't have any way to see console output, and you don't have a >> working serial console setup or such, you may want to try re-running >> those tests while the kernel is booted with netconsole enabled to log >> to a different machine over UDP (see >> https://www.kernel.org/doc/Documentation/networking/netconsole.txt). > > ACK, will try that now for you. > >> You may want to try setting the sysctl kernel.sysrq=1 , then when the >> system has locked up, press ALT+PRINT+L (to generate stack traces for >> all active CPUs from NMI context), and maybe also ALT+PRINT+T and >> ALT+PRINT+W (to collect more information about active tasks). > > Nod. > >> (If you share stack traces from these things with us, it would be >> helpful if you could run them through scripts/decode_stacktrace.pl >>from the kernel tree first, to add line number information.) > > ACK. > >> Trying to isolate the problem: >> >> __end_current_label_crit_section and end_current_label_crit_section >> are aliases of each other (via #define), so that line change can't >> have done anything. >> >> That leaves two possibilities AFAICS: >> - the might_sleep() call by itself is causing issues for one of the >> remaining users of begin_current_label_crit_section() (because it >> causes preemption to happen more often where it didn't happen on >> PREEMPT_VOLUNTARY before, or because it's trying to print a warning >> message with the runqueue lock held, or something like that) >> - the lack of "if (aa_replace_current_label(label) == 0) >> aa_put_label(label);" in __begin_current_label_crit_section() is >> somehow causing issues >> >> You could try to see whether just adding the might_sleep(), or just >> replacing the begin_current_label_crit_section() call with >> __begin_current_label_crit_section(), triggers the bug. >> >> >> If you could recompile the kernel with CONFIG_DEBUG_ATOMIC_SLEEP - if >> that isn't already set in your kernel config -, that might help track >> down the problem, unless it magically makes the problem stop >> triggering (which I guess would be conceivable if this indeed is a >> race). > > OK, will try that second... > I have not been able to reproduce but So looking at linux-4.19.y it looks like 1f8266ff5884 apparmor: don't try to replace stale label in ptrace access check was picked without ca3fde5214e1 apparmor: don't try to replace stale label in ptraceme check Both of them are marked as Fixes: b2d09ae449ced ("apparmor: move ptrace checks to using labels") so I would expect them to be picked together. ptraceme is potentially updating the task's cred while the access check is running. Try building after picking ca3fde5214e1 apparmor: don't try to replace stale label in ptraceme check
Bug#872726: linux: apparmor doesn't use proper audit event ids
On 09/09/2017 10:25 AM, intrigeri wrote: > Hi Laurent & everyone else who's listening! > > Laurent Bigonville: >> Le 03/09/17 à 13:01, intrigeri a écrit : >>> Laurent Bigonville: IMVHO, in regard to the recent proposal of enabling apparmor in debian by default, this needs to be addressed first. >>> I'm genuinely curious why this should be a blocker for Debian: this is >>> not obvious to me as a number of distros could enable AppArmor by >>> default and can apparently live with this bug. >>> >>> Can you please make it explicit, e.g. describing what exact use cases >>> would be harmed by enabling AppArmor by default without fixing this >>> bug first? > >> I think that having the denials of a MAC properly logged is important for >> both people >> developing their policy and also for intrusion/non conformity detection. > define properly logged, apparmor uses the common LSM audit subsystem the same as smack, and selinux. >> If someone wants to send their logs to some logging services >> (ELK/splunk/...) having >> the messages properly logged/categorized seems to be the start here. > > I see, thanks for the explanation! I agree it's important and I'm sad > this bug makes AppArmor look a bit rough around the edges (because > that doesn't correctly reflect my experience as a user, sysadmin and > distro maintainer). > > I'll look closer at each of these use cases from the "what would we > *break* if we enabled AppArmor by default" perspective: > > * people developing their own AppArmor policy: 100% of the existing >AppArmor policy was developed without proper audit event IDs; >I'll be happy to give ausearch(8) a try once AppArmor does the >right thing, but so far I can very well live without it. > >⇒ from a user-centric perspective, I don't see why this bug would >be a blocker as far as this use case is concerned. > It complicates things because while all LSMs using the common LSM audit frame work share 1400, the userspace end of audit only has fields for selinux defined for 1400. That is there is a disconnect between userspace and kernel. Userspace has argued the kernel should change. > * intrusion detection: the current state of things in Debian (no MAC >framework enabled by default) does not give any such capability to >system administrators; the proposal of enabling AppArmor by default >does not pretend it'll magically give this bonus feature. > >⇒ AppArmor improves other things, just not this one, or at least >not in an ideal way; too bad, but I don't see why this limitation >would be a blocker. > > * centralized logging: enabling AppArmor by default will generate >audit events; if nothing improves on this front, they'll be >erroneously tagged type=1400 and thus might land into a SELinux >bucket or similar by mistake, which can be confusing for sysadmins >who also run SELinux-enabled systems, and even more so once one can >stack SELinux and AppArmor. > It depends on what you mean by erroneously tagged. AppArmor used to have the audit range 1500-1599. When the LSM audit infrastructure was created all LSMs using itwere moved to have id 1400. This was a deliberate choice made by the kernel community, alls LSMs that use this are affected and apparmor has had to live with it. >From an audit tagging perspective 1500 was much better, I would like to see apparmor move back to 1500 but apparmor will continue to use the common LSM audit infrastructure, so the change needs to be agreed to by more than just the apparmor devs. >⇒ I understand there *is* definitely potential for painful impact >here. We'll need to keep an eye on this when evaluating "AppArmor >by default in Buster?" 1 year after it's been enabled by default >(as per my proposal on -devel@). But I bet this bug would have been >fixed a while ago if it was a serious problem in practice: >apparently, tons of Ubuntu and SUSE sysadmins have apparently >managed to cope with this bug just fine for many years. > > So I see very little ground for arguing this bug is a blocker for > enabling AppArmor by default in testing/sid, and reconsidering a year > later — after all, it's one of the purposes of the evaluation > exercises: nobody claims AppArmor is perfect, and what's at stake is > rather whether it brings more value than costs for Debian and its > users. The best, the good, enemies, etc. :) > > If I misunderstood something, sorry! I'm all ears. > > Cheers, >
Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
On 12/05/2014 05:47 AM, Luis Henriques wrote: Following this email I am sending for review the CVE-2014-9090 fix backports for both Lucid (2.6.32) and Precise (3.2.0). I'm also CC'ing Debian mailing-lists, Moritz, Ben and Willy as these backports could be of interest both to Debian and to the 2.6.32 and 3.2 stable kernels. Andy Lutomirski (1): x86_64, traps: Stop using IST for #SS arch/x86/include/asm/page_32_types.h | 1 - arch/x86/include/asm/page_64_types.h | 11 +-- arch/x86/kernel/dumpstack_64.c | 1 - arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/traps.c | 13 + 5 files changed, 7 insertions(+), 21 deletions(-) So both the Lucid and Precise patches look good to me. Like Stefan I noticed the missing define but it does not appear to be used by the patch. I have not worked my way through the list of patches that Willy provided so I can't yet comment on which of any of them should be included. But I think the additional two patches that Ben pointed out af726f21ed8a x86_64, traps: Fix the espfix64 #DF fixup and rewrite it in C b645af2d5905 x86_64, traps: Rework bad_iret really should go with this Acked-by: John Johansen john.johan...@canonical.com -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5485a158.2050...@canonical.com
Bug#676515: linux-2.6: AppArmor totally broken
On 06/23/2012 11:53 AM, intrigeri wrote: Hi John, John Johansen wrote (17 Jun 2012 19:08:20 GMT) : On 06/15/2012 05:08 PM, Ben Hutchings wrote: If we don't want to restrict sockets used by the kernel, don't we need to store the kern flag for later use by aa_revalidate_sk()? For how apparmor is generally deployed it can get away with this, the kernel bits generally bail out earlier on the check for unconfined. That is not to say it isn't a good idea, or that it shouldn't be done. The fact is this patch is going to be replaced with completely rewritten controls, that do store info on the socket, it just hasn't happened yet due to resources and priorities (not my priorities). Ben, is this a blocker? I want to be convinced that this is not a bug, or else get a fix for it. I am looking at the kernel bits here, but I don't have a patch yet Do you think you'll manage to do it in time for the Wheezy freeze (June 30th)? Since denied has already been masked with ~quiet_mask, this condition can never be true. indeed Ben, is this a blocker? [...] This clearly is a bug and I want to be convinced that it is harmless or else get a fix for it. Right this breaks the controls over quieting of denial messages. Basically if policy specifies a reject should not be logged then the global controls that turn quieting off so that all rejects get logged aren't working for networking. This is an easy patch that I can provide separately or with the patch I am working on for the larger issue. Do you think you'll manage to prepare at least the easy fix it in time for the Wheezy freeze? Okay, there are 4 kernel patches, not all of them are needed depending on whether the network patch is applied or not. If you don't want to apply the networking patch 0001-apparmor-remove-advertising-the-support-of-network-r.patch Stops the kernel interface from incorrectly advertising that it supports network rules. A further patch (not attached) to userspace will also have to be applied If the networking patch is applied these two patches can be applied or ignored, 0001 will be folded into the compat interface patch upstream, and then 0002 will be folded into the networking patch 0001-apparmor-remove-advertising-the-support-of-network-r.patch 0002-apparmor-Advertise-network-mediation-from-the-compat.patch these two patches address the two bugs pointed out in the networking patch 0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch 0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch From 873143ceca69a2e54e7face1be49ad6b5514525d Mon Sep 17 00:00:00 2001 From: John Johansen john.johan...@canonical.com Date: Tue, 26 Jun 2012 02:12:10 -0700 Subject: [PATCH 1/4] apparmor: remove advertising the support of network rules from compat iface The interface compatibility patch was advertising support of network rules, however this is not true if the networking patch is not applied. Move advertising of network rules into a third patch that can be applied if both the compatibility and network patches are applied. Signed-off-by: John Johansen john.johan...@canonical.com --- security/apparmor/apparmorfs-24.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c index dc8c744..367c7ea 100644 --- a/security/apparmor/apparmorfs-24.c +++ b/security/apparmor/apparmorfs-24.c @@ -49,7 +49,7 @@ const struct file_operations aa_fs_matching_fops = { static ssize_t aa_features_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) { - const char features[] = file=3.1 capability=2.0 network=1.0 + const char features[] = file=3.1 capability=2.0 change_hat=1.5 change_profile=1.1 aanamespaces=1.1 rlimit=1.1; return simple_read_from_buffer(buf, size, ppos, features, -- 1.7.9.5 From 89a577e1bd55ee589c66bb82babb1dbbb8d73dad Mon Sep 17 00:00:00 2001 From: John Johansen john.johan...@canonical.com Date: Tue, 26 Jun 2012 02:15:36 -0700 Subject: [PATCH 2/4] apparmor: Advertise network mediation from the compatibility interface The userspace needs to know if the apparmor kernel module supports network mediation. Apply this patch if both the v2.3 compatibility patch and network mediation patches are applied. Signed-off-by: John Johansen john.johan...@canonical.com --- security/apparmor/apparmorfs-24.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c index 367c7ea..dc8c744 100644 --- a/security/apparmor/apparmorfs-24.c +++ b/security/apparmor/apparmorfs-24.c @@ -49,7 +49,7 @@ const struct file_operations aa_fs_matching_fops = { static ssize_t aa_features_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) { - const char features[] = file=3.1 capability=2.0 + const char features[] = file=3.1 capability=2.0 network=1.0 change_hat=1.5
Bug#676515: linux-2.6: AppArmor totally broken
On 06/23/2012 11:53 AM, intrigeri wrote: Hi John, John Johansen wrote (17 Jun 2012 19:08:20 GMT) : On 06/15/2012 05:08 PM, Ben Hutchings wrote: If we don't want to restrict sockets used by the kernel, don't we need to store the kern flag for later use by aa_revalidate_sk()? For how apparmor is generally deployed it can get away with this, the kernel bits generally bail out earlier on the check for unconfined. That is not to say it isn't a good idea, or that it shouldn't be done. The fact is this patch is going to be replaced with completely rewritten controls, that do store info on the socket, it just hasn't happened yet due to resources and priorities (not my priorities). Ben, is this a blocker? I want to be convinced that this is not a bug, or else get a fix for it. I am looking at the kernel bits here, but I don't have a patch yet Do you think you'll manage to do it in time for the Wheezy freeze (June 30th)? Yes for the don't mediate kernel sockets tagging, and the quiet masking. The check if in interrupt context I am not comfortable removing yet and it will have to wait for the full new networking patches. Since denied has already been masked with ~quiet_mask, this condition can never be true. indeed Ben, is this a blocker? [...] This clearly is a bug and I want to be convinced that it is harmless or else get a fix for it. Right this breaks the controls over quieting of denial messages. Basically if policy specifies a reject should not be logged then the global controls that turn quieting off so that all rejects get logged aren't working for networking. This is an easy patch that I can provide separately or with the patch I am working on for the larger issue. Do you think you'll manage to prepare at least the easy fix it in time for the Wheezy freeze? Yes I should have something for you by the end of the weekend if not sooner -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fe62977.7070...@canonical.com
Bug#676515: linux-2.6: AppArmor totally broken
On 06/23/2012 12:30 PM, intrigeri wrote: Hi, Ben Hutchings wrote (23 Jun 2012 19:02:06 GMT) : What is it that you think will happen at the freeze? We stop fixing all bugs and do nothing for the next few months? Of course, and we'll lazily eat lots of icecream while you work hard to release many shiny new Linux 3.2.x :) Irony set aside, I believe there are two different ways of fixing this bug: - Either by fixing the actual regression directly, without applying the network control patch: it seems clear to me that this can happen after the freeze. So far, so good. - Or by applying the AppArmor network control patch, in an improved version that John is apparently working on; this would be my preferred solution. But, given it would be a feature addition, rather than being merely a minimal bugfix, I'm not too sure it would be fit for a freeze exception. Hence my gentle pressuring on John to get this done before the freeze. Feel free to correct me if my understanding of the situation is wrong. To be clear the network stuff I am working on for wheezy is 2 patches to the current networking patch. The larger networking rewrite is not ready yet and even if I could get it done in time I would not feel comfortable pushing that in to wheezy as it would be at best early beta quality -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fe629f3.5010...@canonical.com
Bug#676515: linux-2.6: AppArmor totally broken
On 06/15/2012 05:08 PM, Ben Hutchings wrote: On Fri, 2012-06-15 at 22:38 +0200, intrigeri wrote: Hi John, Ben and all other involved ones, I'd like to see this moving forward, since the Wheezy freeze is coming soon. See bellow explicit questions. Me too; thanks for the mail. John Johansen wrote (07 Jun 2012 16:45:36 GMT) : On 06/07/2012 07:34 AM, Ben Hutchings wrote: If we don't want to restrict sockets used by the kernel, don't we need to store the kern flag for later use by aa_revalidate_sk()? For how apparmor is generally deployed it can get away with this, the kernel bits generally bail out earlier on the check for unconfined. That is not to say it isn't a good idea, or that it shouldn't be done. The fact is this patch is going to be replaced with completely rewritten controls, that do store info on the socket, it just hasn't happened yet due to resources and priorities (not my priorities). Ben, is this a blocker? I want to be convinced that this is not a bug, or else get a fix for it. I am looking at the kernel bits here, but I don't have a patch yet Since denied has already been masked with ~quiet_mask, this condition can never be true. indeed Ben, is this a blocker? [...] This clearly is a bug and I want to be convinced that it is harmless or else get a fix for it. Right this breaks the controls over quieting of denial messages. Basically if policy specifies a reject should not be logged then the global controls that turn quieting off so that all rejects get logged aren't working for networking. This is an easy patch that I can provide separately or with the patch I am working on for the larger issue. I have also been looking into why the regression is happening, it actually looks to be in the userspace caching of compiled policy. I can run the same basic profile loads on ubuntu with a kernel that only has the single interface patch applied and it works. So its just a matter of tracking down which patches are needed now. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fde2b24.5070...@canonical.com
Bug#676515: linux-2.6: AppArmor totally broken
On 06/07/2012 07:34 AM, Ben Hutchings wrote: On Thu, 2012-06-07 at 15:35 +0200, intrig...@debian.org wrote: Package: linux-2.6 Severity: normal Version: 3.2.19-1 Tags: patch X-Debbugs-CC: john.johan...@canonical.com, k...@debian.org, mi...@riseup.net Hi, the AppArmor compatibility patch applied to fix #661151 totally breaks AppArmor support; this is a regression. Details: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661151#83 Applying the AppArmor: compatibility patch for v5 network controll on top of the already applied one fixes the problem for me. I did test with the patch that can be found there: http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-precise.git;a=commit;h=d253e5fb4a6b552e7cd2a3c80934ab4f92faec97 Please consider applying this network compatibility patch, not only to fix this regression, but also to get us working network mediation. So these independent patches really aren't... or else userland gets confused if we apply just the one. Hrmmm, no they should be. That is a bug in userland that needs to be fixed. I do know that they used to work when applied separately. It certainly not a configuration that gets a lot of testing, but it should have worked. I will look into it and figure out what is causing it to break. Looking at the network controller patch: --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c [...] @@ -621,6 +622,104 @@ static int apparmor_task_setrlimit(struct task_struct *task, return error; } +static int apparmor_socket_create(int family, int type, int protocol, int kern) +{ +struct aa_profile *profile; +int error = 0; + +if (kern) +return 0; If we don't want to restrict sockets used by the kernel, don't we need to store the kern flag for later use by aa_revalidate_sk()? For how apparmor is generally deployed it can get away with this, the kernel bits generally bail out earlier on the check for unconfined. That is not to say it isn't a good idea, or that it shouldn't be done. The fact is this patch is going to be replaced with completely rewritten controls, that do store info on the socket, it just hasn't happened yet due to resources and priorities (not my priorities). +profile = __aa_current_profile(); +if (!unconfined(profile)) +error = aa_net_perm(OP_CREATE, profile, family, type, protocol, +NULL); +return error; +} [...] --- /dev/null +++ b/security/apparmor/net.c [...] +static int audit_net(struct aa_profile *profile, int op, u16 family, int type, + int protocol, struct sock *sk, int error) +{ [...] +} else { +u16 quiet_mask = profile-net.quiet[sa.u.net.family]; +u16 kill_mask = 0; +u16 denied = (1 sa.aad.net.type) ~quiet_mask; + +if (denied kill_mask) +audit_type = AUDIT_APPARMOR_KILL; + +if ((denied quiet_mask) Since denied has already been masked with ~quiet_mask, this condition can never be true. indeed +AUDIT_MODE(profile) != AUDIT_NOQUIET +AUDIT_MODE(profile) != AUDIT_ALL) +return COMPLAIN_MODE(profile) ? 0 : sa.aad.error; +} + +return aa_audit(audit_type, profile, GFP_KERNEL, sa, audit_cb); +} [...] +/** + * aa_revalidate_sk - Revalidate access to a sock + * @op: operation being checked + * @sk: sock being revalidated (NOT NULL) + * + * Returns: %0 else error if permission denied + */ +int aa_revalidate_sk(int op, struct sock *sk) +{ +struct aa_profile *profile; +int error = 0; + +/* aa_revalidate_sk should not be called from interrupt context + * don't mediate these calls as they are not task related + */ +if (in_interrupt()) +return 0; I wonder why this is being checked at all. Good question, I will have to dig into it. +profile = __aa_current_profile(); +if (!unconfined(profile)) +error = aa_net_perm(op, profile, sk-sk_family, sk-sk_type, +sk-sk_protocol, sk); + +return error; +} [...] Ben. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fd0dab0.5070...@canonical.com
Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface
On 05/30/2012 08:08 AM, micah anderson wrote: Hi all, Its been 2 months without a reply on this issue, and we are getting close to a freeze. Kees and John it looks like there are some pending questions for you below, it would be great if you could chime in with your opinons: If the Debian kernel team was willing to carry some kind of AppArmor kernel/userspace interface patch, I'm now unsure if the old or new ones would be better suited. (I assume AppArmor 2.8 is released long enough before the Wheezy freeze, so that we can ship it in there, and are given this choice.) On the one hand, the old compat' patches are confidence inspiring, as they are small and have been shipped by Ubuntu for a while. My opinon: the 2.4 compat patch is tiny, and it works well, and has been tested for some time, I think it makes the most sense to include this one. probably, especially if you are looking to keep the patch as small as possible On the other hand, it seems the new patches are being upstreamed, which makes them more appealing somehow than the older ones. The newer patch is bigger, some of it must be backported from Linux 3.4, some from Ubuntu, it is much less tested and I suspect because of that will encounter much more resistance from Debian's kernel team to include it. Presumably this will eventually be the one that will be upstreamed, but it isn't there yet. This is why I think the 2.4 compat patch is the way to go with Wheezy, when the newer patch is upstreamed that can be swapped out then. yeah to clarify, half of the new interface went upstream in 3.4 and I can provide a version of that that is backported but its a few patches and not as small as the compat patch. In addition to that you would need a compatibility patch on top of that, that provides the features the current upstream interface doesn't John, I think it would help if you could please point us more precisely to the commits of the new interface that have been upstreamed already, and to the ones that have not been, so that we can get a rough idea of where things are at. hrmmm, I think I missed answering this before the upstream patches 9acd494be9387b0608612cd139967201dd7a4e12 e74abcf3359d0130e99a6511ac484a3ea9e6e988 a9bf8e9fd561ba9ff1f0f2a1d96e439fced4 d384b0a1a35f87f0ad70c29518f98f922b1c15cb the additional patch to complete the interface git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor v3.4-aa2.8 8de755e4dfdbc40bfcaca848ae6b5aeaf0ede0e8 vs. the old compat patch git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor da1ce2265ebb70860b9c137a542e48b170e4606b Kees, others, what do you think? While I like to see the latest stuff, I think the old patch is a smaller delta, well tested and going to be less to maintain so it really seems the way to go. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fc6b14b.70...@canonical.com
Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface
On 05/30/2012 06:10 PM, Ben Hutchings wrote: On Wed, 2012-05-30 at 16:46 -0700, John Johansen wrote: On 05/30/2012 08:08 AM, micah anderson wrote: Hi all, Its been 2 months without a reply on this issue, and we are getting close to a freeze. Kees and John it looks like there are some pending questions for you below, it would be great if you could chime in with your opinons: If the Debian kernel team was willing to carry some kind of AppArmor kernel/userspace interface patch, I'm now unsure if the old or new ones would be better suited. (I assume AppArmor 2.8 is released long enough before the Wheezy freeze, so that we can ship it in there, and are given this choice.) On the one hand, the old compat' patches are confidence inspiring, as they are small and have been shipped by Ubuntu for a while. My opinon: the 2.4 compat patch is tiny, and it works well, and has been tested for some time, I think it makes the most sense to include this one. probably, especially if you are looking to keep the patch as small as possible Should I take it that '2.4 compat' actually means '2.4-2.7 compat'? yeah it turned out to be that. The rewrite to use the newer LSM path hooks began after 2.4, and the patch provided the 2.4 interface until a newer interface that was more sysfs in style could be created. [...] vs. the old compat patch git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor da1ce2265ebb70860b9c137a542e48b170e4606b Kees, others, what do you think? While I like to see the latest stuff, I think the old patch is a smaller delta, well tested and going to be less to maintain so it really seems the way to go. So you're saying we should take just the one quoted above for wheezy? The aafs_create() and aafs_remove() calls are mismatched when CONFIG_SECURITY_APPARMOR_COMPAT_24 is not set, but aside from that it doesn't look too horrible. oops I guess we never built it that way, I can fix that for you What about this one: commit 1023c7c2f9d9c5707147479104312c4c3d1a2c2b Author: John Johansen john.johan...@canonical.com Date: Wed Aug 10 22:02:39 2011 -0700 AppArmor: compatibility patch for v5 network controll Add compatibility for v5 network rules. That will provide support for the network rules and if you are willing to carry it that would be greate but is not strictly necessary. Policy can still be loaded and introspected. If that patch is missing and if profile contains network rules the parser will complain about them not being enforced, but it will still load and enforce the rest of the policy -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fc6dee6.9090...@canonical.com
Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface
On 03/14/2012 03:24 AM, intrigeri wrote: Hi, John Johansen wrote (13 Mar 2012 16:33:53 GMT) : sorry I missed this, Thank you, John, for your answers :) yes you can pull them out of the tarball, That would be 0002-AppArmor-compatibility-patch-for-v5-interface.patch that can be found in the kernel-patches/$LATEST/ directory of the apparmor Debian source package. Given $LATEST == 3.1 currently, see bellow for the Ubuntu patches that were maybe refreshed. John, do you confirm this patch does not depend on any of the two others? It does not but there may be a small conflict or two to resolve if 0001-AppArmor-compatibility-patch-for-v5-network-controll.patch is not applied first. If it doesn't apply cleanly I will be happy to update it for you. (namely: 0001-AppArmor-compatibility-patch-for-v5-network-controll.patch and 0003-AppArmor-Allow-dfa-backward-compatibility-with-broke.patch) or from the ubuntu kernel tree. I guess that would be http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-precise.git;a=commit;h=56f928f0cbf810c047a9a72e4e5c4840800437ec John, please correct me if I did not guess right. You are right There are also a new set of patches available against the 3.3 kernel. The static parts of the interface have been updated and pushed into the 3.4 kernel. And the goal is to get the other part into the 3.5 kernel (still a wip). John: I guess the Linux 3.2 kernel shipped in Precise will carry those patches, and this is why the v5 compat' patches got recently reverted in Precise's kernel tree, right? correct Though those will require a more recent userspace. John: that will be called 2.8, right? correct. The 2.8 userspace release will ship with precise and will be compatible with both the older and newer kernel interfaces. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f607461.6020...@canonical.com
Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface
On 02/24/2012 08:40 AM, intrigeri wrote: Ben Hutchings wrote (24 Feb 2012 16:06:16 GMT) : Where can I find the patch? Kees and Ubuntu AppArmor developers: can you please confirm the patches that the Debian kernel team should consider for supporting the AppArmor legacy interface would be the ones found in the kernel-patches/$LATEST/ directory of the apparmor 2.7.x tarball? Or have you got updated patches, e.g. for Linux 3.2.x, published somewhere to be found? sorry I missed this, yes you can pull them out of the tarball, or from the ubuntu kernel tree. You will also be able to pull them from the git tree at git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor.git though I still need to restore them as the tree got wiped after the kernel.org breakin. There are also a new set of patches available against the 3.3 kernel. The static parts of the interface have been updated and pushed into the 3.4 kernel. And the goal is to get the other part into the 3.5 kernel (still a wip). Though those will require a more recent userspace. If someone will let me know what is desired I will set up a tree with patches pre-applied. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f5f76f1.6010...@canonical.com