mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-02 15:18:19 +00:00
Code Issues Releases Wiki Activity
linux-stable/security
History
John Johansen 511f7b5b83 apparmor: fix absroot causing audited secids to begin with = 
AppArmor is prefixing secids that are converted to secctx with the =
to indicate the secctx should only be parsed from an absolute root
POV. This allows catching errors where secctx are reparsed back into
internal labels.

Unfortunately because audit is using secid to secctx conversion this
means that subject and object labels can result in a very unfortunate
== that can break audit parsing.

eg. the subj==unconfined term in the below audit message

type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'

Fix this by switch the prepending of = to a _. This still works as a
special character to flag this case without breaking audit. Also move
this check behind debug as it should not be needed during normal
operqation.

Fixes: 26b7899510 ("apparmor: add support for absolute root view based labels")
Reported-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-09 15:13:58 -07:00
..
apparmor apparmor: fix absroot causing audited secids to begin with = 2022-07-09 15:13:58 -07:00
bpf bpf: Implement task local storage 2020-11-06 08:08:37 -08:00
integrity integrity-v5.19 2022-05-24 13:50:39 -07:00
keys tpmdd updates for v5.19-rc1 2022-05-24 13:16:50 -07:00
landlock landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER 2022-05-23 13:27:59 +02:00
loadpin loadpin: stop using bdevname 2022-05-16 16:02:21 -07:00
lockdown Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2020-06-02 17:36:24 -07:00
safesetid LSM: SafeSetID: Mark safesetid_initialized as __initdata 2021-06-10 09:52:32 -07:00
selinux selinux/stable-5.19 PR 20220523 2022-05-24 13:06:32 -07:00
smack Cleanups (and one fix) around struct mount handling. 2022-06-04 19:00:05 -07:00
tomoyo LSM: Remove double path_rename hook calls for RENAME_EXCHANGE 2022-05-23 13:27:58 +02:00
yama task_work: cleanup notification modes 2020-10-17 15:05:30 -06:00
commoncap.c fs: support mapped mounts of mapped filesystems 2021-12-05 10:28:57 +01:00
device_cgroup.c bpf: Make BPF_PROG_RUN_ARRAY return -err instead of allow boolean 2022-01-19 12:51:30 -08:00
inode.c Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
Kconfig usercopy: Remove HARDENED_USERCOPY_PAGESPAN 2022-04-13 12:15:52 -07:00
Kconfig.hardening randstruct: Enable Clang support 2022-05-08 01:33:07 -07:00
lsm_audit.c selinux: log anon inode class name 2022-05-03 16:09:03 -04:00
Makefile security: remove unneeded subdir-$(CONFIG_...) 2021-09-03 08:17:20 +09:00
min_addr.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
security.c Landlock updates for v5.19-rc1 2022-05-24 13:09:13 -07:00