[packages/kernel.git] / 0014-apparmor-fix-race-condition-in-null-profile-creation.patch

From ab3b869791b6122c7be7e68ca4c08e2c2e8815ac Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 16 Aug 2017 05:40:49 -0700
Subject: [PATCH 14/17] apparmor: fix race condition in null profile creation

There is a race when null- profile is being created between the
initial lookup/creation of the profile and lock/addition of the
profile. This could result in multiple version of a profile being
added to the list which need to be removed/replaced.

Since these are learning profile their is no affect on mediation.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 3aa3de2a4fb8f33ec62b00998bc6b6c6850d41b1)
---
 security/apparmor/policy.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index a81a384a63b1..4243b0c3f0e4 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -500,7 +500,8 @@ struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
 struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
 				       const char *base, gfp_t gfp)
 {
-	struct aa_profile *profile;
+	struct aa_profile *p, *profile;
+	const char *bname;
 	char *name;
 
 	AA_BUG(!parent);
@@ -523,7 +524,8 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
 
 name:
 	/* lookup to see if this is a dup creation */
-	profile = aa_find_child(parent, basename(name));
+	bname = basename(name);
+	profile = aa_find_child(parent, bname);
 	if (profile)
 		goto out;
 
@@ -544,7 +546,13 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
 	profile->policy.dfa = aa_get_dfa(nulldfa);
 
 	mutex_lock(&profile->ns->lock);
-	__add_profile(&parent->base.profiles, profile);
+	p = __find_child(&parent->base.profiles, bname);
+	if (p) {
+		aa_free_profile(profile);
+		profile = aa_get_profile(p);
+	} else {
+		__add_profile(&parent->base.profiles, profile);
+	}
 	mutex_unlock(&profile->ns->lock);
 
 	/* refcount released by caller */
-- 
2.11.0
Commit	Line	Data
daaa955e AM	1	From ab3b869791b6122c7be7e68ca4c08e2c2e8815ac Mon Sep 17 00:00:00 2001
	2	From: John Johansen <john.johansen@canonical.com>
	3	Date: Wed, 16 Aug 2017 05:40:49 -0700
	4	Subject: [PATCH 14/17] apparmor: fix race condition in null profile creation
	5
	6	There is a race when null- profile is being created between the
	7	initial lookup/creation of the profile and lock/addition of the
	8	profile. This could result in multiple version of a profile being
	9	added to the list which need to be removed/replaced.
	10
	11	Since these are learning profile their is no affect on mediation.
	12
	13	Signed-off-by: John Johansen <john.johansen@canonical.com>
	14	(cherry picked from commit 3aa3de2a4fb8f33ec62b00998bc6b6c6850d41b1)
	15	---
	16	security/apparmor/policy.c \| 14 +++++++++++---
	17	1 file changed, 11 insertions(+), 3 deletions(-)
	18
	19	diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
	20	index a81a384a63b1..4243b0c3f0e4 100644
	21	--- a/security/apparmor/policy.c
	22	+++ b/security/apparmor/policy.c
	23	@@ -500,7 +500,8 @@ struct aa_profile aa_fqlookupn_profile(struct aa_label base,
	24	struct aa_profile aa_new_null_profile(struct aa_profile parent, bool hat,
	25	const char *base, gfp_t gfp)
	26	{
	27	- struct aa_profile *profile;
	28	+ struct aa_profile p, profile;
	29	+ const char *bname;
	30	char *name;
	31
	32	AA_BUG(!parent);
	33	@@ -523,7 +524,8 @@ struct aa_profile aa_new_null_profile(struct aa_profile parent, bool hat,
	34
	35	name:
	36	/* lookup to see if this is a dup creation */
	37	- profile = aa_find_child(parent, basename(name));
	38	+ bname = basename(name);
	39	+ profile = aa_find_child(parent, bname);
	40	if (profile)
	41	goto out;
	42
	43	@@ -544,7 +546,13 @@ struct aa_profile aa_new_null_profile(struct aa_profile parent, bool hat,
	44	profile->policy.dfa = aa_get_dfa(nulldfa);
	45
	46	mutex_lock(&profile->ns->lock);
	47	- __add_profile(&parent->base.profiles, profile);
	48	+ p = __find_child(&parent->base.profiles, bname);
	49	+ if (p) {
	50	+ aa_free_profile(profile);
	51	+ profile = aa_get_profile(p);
	52	+ } else {
	53	+ __add_profile(&parent->base.profiles, profile);
	54	+ }
	55	mutex_unlock(&profile->ns->lock);
	56
	57	/* refcount released by caller */
	58	--
	59	2.11.0
	60