diff options
author | John Johansen <john.johansen@canonical.com> | 2018-07-30 13:55:30 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2019-07-10 16:34:30 -0700 |
commit | 4f5e6604eb764ca4ce6d4aff14573f63c8e50025 (patch) | |
tree | be635087d4563009a5d34406a29ae9f4fc5b21c8 | |
parent | 84380fcd00ab1ce239ff12abff8f60ecedb3a547 (diff) | |
download | linux-apparmor-5.2-outoftree.tar.gz |
UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets5.2-outoftree
The apparmor policy language current does not allow expressing of the
locking permission for no-fs unix sockets. However the kernel is
enforcing mediation.
Add the AA_MAY_LOCK perm to the computed perm mask which will grant
permission for all current abi profiles, but still allow specifying
auditing of the operation if needed.
BugLink: http://bugs.launchpad.net/bugs/1780227
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
-rw-r--r-- | security/apparmor/lib.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c index 30c246a9d4409..ec24f864ef25c 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c @@ -334,7 +334,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, /* for v5 perm mapping in the policydb, the other set is used * to extend the general perm set */ - perms->allow |= map_other(dfa_other_allow(dfa, state)); + perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK; perms->audit |= map_other(dfa_other_audit(dfa, state)); perms->quiet |= map_other(dfa_other_quiet(dfa, state)); // perms->xindex = dfa_user_xindex(dfa, state); |