apparmor: fix apparmor mediating locking non-fs unix sockets

the v8 and earlier policy does not encode the locking permission for
no-fs unix sockets. However the kernel is enforcing mediation.

Add the AA_MAY_LOCK perm to v8 and earlier computed perm mask which will
grant permission for all current abi profiles, but still allow specifying
auditing of the operation if needed.

Link: http://bugs.launchpad.net/bugs/1780227
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 0203e43..2406c5c 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -31,6 +31,7 @@
 #define K_ABI_MASK 0x3ff
 #define FORCE_COMPLAIN_FLAG 0x800
 #define VERSION_LT(X, Y) (((X) & K_ABI_MASK) < ((Y) & K_ABI_MASK))
+#define VERSION_LE(X, Y) (((X) & K_ABI_MASK) <= ((Y) & K_ABI_MASK))
 #define VERSION_GT(X, Y) (((X) & K_ABI_MASK) > ((Y) & K_ABI_MASK))
 
 #define v5     5       /* base version */
@@ -796,7 +797,8 @@ static u32 map_other(u32 x)
 }
 
 static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
-                                          aa_state_t state)
+                                          aa_state_t state,
+                                          u32 version)
 {
        struct aa_perms perms = { };
 
@@ -809,13 +811,15 @@ static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
         */
 
        perms.allow |= map_other(dfa_other_allow(dfa, state));
+       if (VERSION_LE(version, v8))
+               perms.allow |= AA_MAY_LOCK;
        perms.audit |= map_other(dfa_other_audit(dfa, state));
        perms.quiet |= map_other(dfa_other_quiet(dfa, state));
 
        return perms;
 }
 
-static struct aa_perms *compute_perms(struct aa_dfa *dfa)
+static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version)
 {
        unsigned int state;
        unsigned int state_count;
@@ -831,7 +835,7 @@ static struct aa_perms *compute_perms(struct aa_dfa *dfa)
 
        /* zero init so skip the trap state (state == 0) */
        for (state = 1; state < state_count; state++)
-               table[state] = compute_perms_entry(dfa, state);
+               table[state] = compute_perms_entry(dfa, state, version);
 
        return table;
 }
@@ -1055,7 +1059,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
                }
                if (!unpack_nameX(e, AA_STRUCTEND, NULL))
                        goto fail;
-               profile->policy.perms = compute_perms(profile->policy.dfa);
+               profile->policy.perms = compute_perms(profile->policy.dfa,
+                                                     e->version);
                if (!profile->policy.perms) {
                        info = "failed to remap policydb permission table";
                        goto fail;