Revert "apparmor: add base infastructure for socket mediation"
This reverts commit 651e28c553.
This caused a regression:
"The specific problem is that dnsmasq refuses to start on openSUSE Leap
42.2. The specific cause is that and attempt to open a PF_LOCAL socket
gets EACCES. This means that networking doesn't function on a system
with a 4.14-rc2 system."
Sadly, the developers involved seemed to be in denial for several weeks
about this, delaying the revert. This has not been a good release for
the security subsystem, and this area needs to change development
practices.
Reported-and-bisected-by: James Bottomley <James.Bottomley@hansenpartnership.com>
Tracked-by: Thorsten Leemhuis <regressions@leemhuis.info>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Linus Torvalds
@@ -275,19 +275,6 @@ fail:
|
||||
return 0;
|
||||
}
|
||||
|
||||
static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
|
||||
{
|
||||
if (unpack_nameX(e, AA_U16, name)) {
|
||||
if (!inbounds(e, sizeof(u16)))
|
||||
return 0;
|
||||
if (data)
|
||||
*data = le16_to_cpu(get_unaligned((__le16 *) e->pos));
|
||||
e->pos += sizeof(u16);
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
|
||||
{
|
||||
if (unpack_nameX(e, AA_U32, name)) {
|
||||
@@ -597,7 +584,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
|
||||
struct aa_profile *profile = NULL;
|
||||
const char *tmpname, *tmpns = NULL, *name = NULL;
|
||||
const char *info = "failed to unpack profile";
|
||||
size_t size = 0, ns_len;
|
||||
size_t ns_len;
|
||||
struct rhashtable_params params = { 0 };
|
||||
char *key = NULL;
|
||||
struct aa_data *data;
|
||||
@@ -730,38 +717,6 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
|
||||
goto fail;
|
||||
}
|
||||
|
||||
size = unpack_array(e, "net_allowed_af");
|
||||
if (size) {
|
||||
|
||||
for (i = 0; i < size; i++) {
|
||||
/* discard extraneous rules that this kernel will
|
||||
* never request
|
||||
*/
|
||||
if (i >= AF_MAX) {
|
||||
u16 tmp;
|
||||
|
||||
if (!unpack_u16(e, &tmp, NULL) ||
|
||||
!unpack_u16(e, &tmp, NULL) ||
|
||||
!unpack_u16(e, &tmp, NULL))
|
||||
goto fail;
|
||||
continue;
|
||||
}
|
||||
if (!unpack_u16(e, &profile->net.allow[i], NULL))
|
||||
goto fail;
|
||||
if (!unpack_u16(e, &profile->net.audit[i], NULL))
|
||||
goto fail;
|
||||
if (!unpack_u16(e, &profile->net.quiet[i], NULL))
|
||||
goto fail;
|
||||
}
|
||||
if (!unpack_nameX(e, AA_ARRAYEND, NULL))
|
||||
goto fail;
|
||||
}
|
||||
if (VERSION_LT(e->version, v7)) {
|
||||
/* pre v7 policy always allowed these */
|
||||
profile->net.allow[AF_UNIX] = 0xffff;
|
||||
profile->net.allow[AF_NETLINK] = 0xffff;
|
||||
}
|
||||
|
||||
if (unpack_nameX(e, AA_STRUCT, "policydb")) {
|
||||
/* generic policy dfa - optional and may be NULL */
|
||||
info = "failed to unpack policydb";
|
||||
|
||||
Reference in New Issue
Block a user