0014-apparmor-fix-race-condition-in-null-profile-creation.patch

   1 From ab3b869791b6122c7be7e68ca4c08e2c2e8815ac Mon Sep 17 00:00:00 2001
   2 From: John Johansen <john.johansen@canonical.com>
   3 Date: Wed, 16 Aug 2017 05:40:49 -0700
   4 Subject: [PATCH 14/17] apparmor: fix race condition in null profile creation
   5
   6 There is a race when null- profile is being created between the
   7 initial lookup/creation of the profile and lock/addition of the
   8 profile. This could result in multiple version of a profile being
   9 added to the list which need to be removed/replaced.
  10
  11 Since these are learning profile their is no affect on mediation.
  12
  13 Signed-off-by: John Johansen <john.johansen@canonical.com>
  14 (cherry picked from commit 3aa3de2a4fb8f33ec62b00998bc6b6c6850d41b1)
  15 ---
  16  security/apparmor/policy.c | 14 +++++++++++---
  17  1 file changed, 11 insertions(+), 3 deletions(-)
  18
  19 diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
  20 index a81a384a63b1..4243b0c3f0e4 100644
  21 --- a/security/apparmor/policy.c
  22 +++ b/security/apparmor/policy.c
  23 @@ -500,7 +500,8 @@ struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
  24  struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
  25                                        const char *base, gfp_t gfp)
  26  {
  27 -       struct aa_profile *profile;
  28 +       struct aa_profile *p, *profile;
  29 +       const char *bname;
  30         char *name;
  31
  32         AA_BUG(!parent);
  33 @@ -523,7 +524,8 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
  34
  35  name:
  36         /* lookup to see if this is a dup creation */
  37 -       profile = aa_find_child(parent, basename(name));
  38 +       bname = basename(name);
  39 +       profile = aa_find_child(parent, bname);
  40         if (profile)
  41                 goto out;
  42
  43 @@ -544,7 +546,13 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
  44         profile->policy.dfa = aa_get_dfa(nulldfa);
  45
  46         mutex_lock(&profile->ns->lock);
  47 -       __add_profile(&parent->base.profiles, profile);
  48 +       p = __find_child(&parent->base.profiles, bname);
  49 +       if (p) {
  50 +               aa_free_profile(profile);
  51 +               profile = aa_get_profile(p);
  52 +       } else {
  53 +               __add_profile(&parent->base.profiles, profile);
  54 +       }
  55         mutex_unlock(&profile->ns->lock);
  56
  57         /* refcount released by caller */
  58 --
  59 2.11.0
  60