apparmor: fix absroot causing audited secids to begin with =

stable inclusion from stable-v5.10.138 commit 08f8128bc9f2b4489e8dd84b91cb69abc0b9c963 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I60QFD Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=08f8128bc9f2b4489e8dd84b91cb69abc0b9c963 -------------------------------- commit 511f7b5b upstream. AppArmor is prefixing secids that are converted to secctx with the = to indicate the secctx should only be parsed from an absolute root POV. This allows catching errors where secctx are reparsed back into internal labels. Unfortunately because audit is using secid to secctx conversion this means that subject and object labels can result in a very unfortunate == that can break audit parsing. eg. the subj==unconfined term in the below audit message type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000 ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success' Fix this by switch the prepending of = to a _. This still works as a special character to flag this case without breaking audit. Also move this check behind debug as it should not be needed during normal operqation. Fixes: 26b78995 ("apparmor: add support for absolute root view based labels") Reported-by: N Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: N John Johansen <john.johansen@canonical.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com>

apparmor: fix absroot causing audited secids to begin with =
stable inclusion from stable-v5.10.138 commit 08f8128bc9f2b4489e8dd84b91cb69abc0b9c963 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I60QFD Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=08f8128bc9f2b4489e8dd84b91cb69abc0b9c963 -------------------------------- commit 511f7b5b upstream. AppArmor is prefixing secids that are converted to secctx with the = to indicate the secctx should only be parsed from an absolute root POV. This allows catching errors where secctx are reparsed back into internal labels. Unfortunately because audit is using secid to secctx conversion this means that subject and object labels can result in a very unfortunate == that can break audit parsing. eg. the subj==unconfined term in the below audit message type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000 ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success' Fix this by switch the prepending of = to a _. This still works as a special character to flag this case without breaking audit. Also move this check behind debug as it should not be needed during normal operqation. Fixes: 26b78995 ("apparmor: add support for absolute root view based labels") Reported-by: N Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: N John Johansen <john.johansen@canonical.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com>
a5a58bda · John Johansen · Zheng Zengkai · 81aba287 · a5a58bda · a5a58bda
隐藏空白更改
内联并排

Showing with 9 addition and 3 deletion

security/apparmor/include/lib.h security/apparmor/include/lib.h +5 -0

security/apparmor/label.c security/apparmor/label.c +4 -3

未找到文件。
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -22,6 +22,11 @@
 */

 #define DEBUG_ON (aa_g_debug)
+/*
+ * split individual debug cases out in preparation for finer grained
+ * debug controls in the future.
+ */
+#define AA_DEBUG_LABEL DEBUG_ON
 #define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args)
 #define AA_DEBUG(fmt, args...)						\
 	do {								\

--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1632,9 +1632,9 @@ int aa_label_snxprint(char *str, size_t size, struct aa_ns *ns,
 	AA_BUG(!str && size != 0);
 	AA_BUG(!label);

-	if (flags & FLAG_ABS_ROOT) {
+	if (AA_DEBUG_LABEL && (flags & FLAG_ABS_ROOT)) {
 		ns = root_ns;
-		len = snprintf(str, size, "=");
+		len = snprintf(str, size, "_");
 		update_for_len(total, len, size, str);
 	} else if (!ns) {
 		ns = labels_ns(label);
@@ -1896,7 +1896,8 @@ struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str,
 	AA_BUG(!str);

 	str = skipn_spaces(str, n);
-	if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label))
+	if (str == NULL || (AA_DEBUG_LABEL && *str == '_' &&
+			    base != &root_ns->unconfined->label))
 		return ERR_PTR(-EINVAL);

 	len = label_count_strn_entries(str, end - str);