From: Linus Torvalds Date: Sat, 27 Jul 2024 20:28:39 +0000 (-0700) Subject: Merge tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git... X-Git-Tag: v6.11-rc1~13 X-Git-Url: https://repo.jachan.dev/linux.git/commitdiff_plain/ff30564411ffdcee49d579cb15eb13185a36e253?hp=-c Merge tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: "Cleanups - optimization: try to avoid refing the label in apparmor_file_open - remove useless static inline function is_deleted - use kvfree_sensitive to free data->data - fix typo in kernel doc Bug fixes: - unpack transition table if dfa is not present - test: add MODULE_DESCRIPTION() - take nosymfollow flag into account - fix possible NULL pointer dereference - fix null pointer deref when receiving skb during sock creation" * tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: unpack transition table if dfa is not present apparmor: try to avoid refing the label in apparmor_file_open apparmor: test: add MODULE_DESCRIPTION() apparmor: take nosymfollow flag into account apparmor: fix possible NULL pointer dereference apparmor: fix typo in kernel doc apparmor: remove useless static inline function is_deleted apparmor: use kvfree_sensitive to free data->data apparmor: Fix null pointer deref when receiving skb during sock creation --- ff30564411ffdcee49d579cb15eb13185a36e253 diff --combined security/apparmor/lsm.c index 16568b6d589d,242d4cf857a7..808060f9effb --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@@ -461,6 -461,7 +461,7 @@@ static int apparmor_file_open(struct fi struct aa_file_ctx *fctx = file_ctx(file); struct aa_label *label; int error = 0; + bool needput; if (!path_mediated_fs(file->f_path.dentry)) return 0; @@@ -477,7 -478,7 +478,7 @@@ return 0; } - label = aa_get_newest_cred_label(file->f_cred); + label = aa_get_newest_cred_label_condref(file->f_cred, &needput); if (!unconfined(label)) { struct mnt_idmap *idmap = file_mnt_idmap(file); struct inode *inode = file_inode(file); @@@ -494,7 -495,7 +495,7 @@@ /* todo cache full allowed permissions set and state */ fctx->allow = aa_map_file_to_perms(file); } - aa_put_label(label); + aa_put_label_condref(label, needput); return error; } @@@ -1124,7 -1125,7 +1125,7 @@@ static int apparmor_socket_create(int f * @sock: socket that is being setup * @family: family of socket being created * @type: type of the socket - * @ptotocol: protocol of the socket + * @protocol: protocol of the socket * @kern: socket is a special kernel socket * * Note: @@@ -1304,6 -1305,13 +1305,13 @@@ static int apparmor_socket_sock_rcv_skb if (!skb->secmark) return 0; + /* + * If reach here before socket_post_create hook is called, in which + * case label is null, drop the packet. + */ + if (!ctx->label) + return -EACCES; + return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE, skb->secmark, sk); } @@@ -2029,7 -2037,7 +2037,7 @@@ static int __init alloc_buffers(void } #ifdef CONFIG_SYSCTL -static int apparmor_dointvec(struct ctl_table *table, int write, +static int apparmor_dointvec(const struct ctl_table *table, int write, void *buffer, size_t *lenp, loff_t *ppos) { if (!aa_current_policy_admin_capable(NULL)) @@@ -2064,6 -2072,7 +2072,6 @@@ static struct ctl_table apparmor_sysctl .mode = 0600, .proc_handler = apparmor_dointvec, }, - { } }; static int __init apparmor_init_sysctl(void)