github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 05:55:44 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
08f8128bc9
linux/security
History
John Johansen 08f8128bc9 apparmor: fix absroot causing audited secids to begin with = 
commit 511f7b5b83 upstream.

AppArmor is prefixing secids that are converted to secctx with the =
to indicate the secctx should only be parsed from an absolute root
POV. This allows catching errors where secctx are reparsed back into
internal labels.

Unfortunately because audit is using secid to secctx conversion this
means that subject and object labels can result in a very unfortunate
== that can break audit parsing.

eg. the subj==unconfined term in the below audit message

type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'

Fix this by switch the prepending of = to a _. This still works as a
special character to flag this case without breaking audit. Also move
this check behind debug as it should not be needed during normal
operqation.

Fixes: 26b7899510 ("apparmor: add support for absolute root view based labels")
Reported-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-08-25 11:37:52 +02:00
..
apparmor apparmor: fix absroot causing audited secids to begin with = 2022-08-25 11:37:52 +02:00
bpf bpf: Implement bpf_local_storage for inodes 2020-08-25 15:00:04 -07:00
integrity lockdown: Fix kexec lockdown bypass with ima policy 2022-07-29 17:19:06 +02:00
keys KEYS: fix length validation in keyctl_pkey_params_get_2() 2022-04-08 14:39:50 +02:00
loadpin LSM: Add "contents" flag to kernel_read_file hook 2020-10-05 13:37:03 +02:00
lockdown
safesetid LSM: SafeSetID: Fix warnings reported by test bot 2020-10-13 09:17:36 -07:00
selinux selinux: Add boundary check in put_entry() 2022-08-21 15:15:31 +02:00
smack Fix incorrect type in assignment of ipv6 port for audit 2022-04-08 14:40:31 +02:00
tomoyo TOMOYO: fix __setup handlers return values 2022-04-08 14:40:18 +02:00
yama task_work: cleanup notification modes 2020-10-17 15:05:30 -06:00
commoncap.c security: commoncap: fix -Wstringop-overread warning 2021-05-11 14:47:36 +02:00
device_cgroup.c device_cgroup: Fix RCU list debugging warning 2020-08-20 11:25:03 -07:00
inode.c
Kconfig x86/retbleed: Add fine grained Kconfig knobs 2022-07-25 11:26:50 +02:00
Kconfig.hardening
lsm_audit.c dump_common_audit_data(): fix racy accesses to ->d_name 2021-01-19 18:27:29 +01:00
Makefile
min_addr.c
security.c lsm,selinux: pass flowi_common instead of flowi to the LSM hooks 2022-06-09 10:21:09 +02:00