Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-06 05:02:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
511f7b5b83
linux-next/security/apparmor
History
John Johansen 511f7b5b83 apparmor: fix absroot causing audited secids to begin with = 
AppArmor is prefixing secids that are converted to secctx with the =
to indicate the secctx should only be parsed from an absolute root
POV. This allows catching errors where secctx are reparsed back into
internal labels.

Unfortunately because audit is using secid to secctx conversion this
means that subject and object labels can result in a very unfortunate
== that can break audit parsing.

eg. the subj==unconfined term in the below audit message

type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'

Fix this by switch the prepending of = to a _. This still works as a
special character to flag this case without breaking audit. Also move
this check behind debug as it should not be needed during normal
operqation.

Fixes: 26b7899510 ("apparmor: add support for absolute root view based labels")
Reported-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-09 15:13:58 -07:00
..
include apparmor: fix absroot causing audited secids to begin with = 2022-07-09 15:13:58 -07:00
.gitignore .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
apparmorfs.c + Features 2021-11-11 14:47:32 -08:00
audit.c audit: purge audit_log_string from the intra-kernel audit API 2020-07-21 11:12:31 -04:00
capability.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
crypto.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
domain.c tracehook: Remove tracehook.h 2022-03-10 16:51:51 -06:00
file.c apparmor: handle idmapped mounts 2021-01-24 14:27:20 +01:00
ipc.c audit: purge audit_log_string from the intra-kernel audit API 2020-07-21 11:12:31 -04:00
Kconfig Minor fixes for v5.9. 2020-08-11 14:30:36 -07:00
label.c apparmor: fix absroot causing audited secids to begin with = 2022-07-09 15:13:58 -07:00
lib.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
lsm.c LSM: Remove double path_rename hook calls for RENAME_EXCHANGE 2022-05-23 13:27:58 +02:00
Makefile apparmor: add base infastructure for socket mediation 2018-03-13 17:25:48 -07:00
match.c apparmor: ensure that dfa state tables have entries 2020-04-08 04:42:48 -07:00
mount.c apparmor:match_mn() - constify devpath argument 2021-03-24 14:11:29 -04:00
net.c security: add const qualifier to struct sock in various places 2020-12-03 12:56:03 -08:00
nulldfa.in apparmor: cleanup add proper line wrapping to nulldfa.in 2018-02-09 11:30:01 -08:00
path.c security: apparmor: delete repeated words in comments 2021-02-07 04:15:46 -08:00
policy_ns.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
policy_unpack_test.c apparmor: test: Use NULL macros 2022-04-04 14:29:29 -06:00
policy_unpack.c + Features 2021-11-11 14:47:32 -08:00
policy.c + Features 2021-11-11 14:47:32 -08:00
procattr.c apparmor: remove duplicated 'Returns:' comments 2021-11-03 15:57:51 -07:00
resource.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
secid.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
stacksplitdfa.in apparmor: use the dfa to do label parse string splitting 2018-02-09 11:30:01 -08:00
task.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00