apparmor: don't try to replace stale label in ptraceme check
Closes: #963493
This commit is contained in:
parent
6da8aff445
commit
1e3e001c12
|
@ -3,6 +3,8 @@ linux (4.19.118-3) UNRELEASED; urgency=medium
|
|||
* ALSA: pcm: oss: Place the plugin buffer overflow checks correctly
|
||||
(Closes: #960493)
|
||||
* [rt] Add new signing key for Tom Zanussi
|
||||
* apparmor: don't try to replace stale label in ptraceme check
|
||||
(Closes: #963493)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Wed, 13 May 2020 17:44:43 +0200
|
||||
|
||||
|
|
43
debian/patches/bugfix/all/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch
vendored
Normal file
43
debian/patches/bugfix/all/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch
vendored
Normal file
|
@ -0,0 +1,43 @@
|
|||
From: Jann Horn <jannh@google.com>
|
||||
Date: Sat, 29 Sep 2018 03:49:26 +0200
|
||||
Subject: apparmor: don't try to replace stale label in ptraceme check
|
||||
Origin: https://git.kernel.org/linus/ca3fde5214e1d24f78269b337d3f22afd6bf445e
|
||||
Bug-Debian: https://bugs.debian.org/963493
|
||||
|
||||
begin_current_label_crit_section() must run in sleepable context because
|
||||
when label_is_stale() is true, aa_replace_current_label() runs, which uses
|
||||
prepare_creds(), which can sleep.
|
||||
|
||||
Until now, the ptraceme access check (which runs with tasklist_lock held)
|
||||
violated this rule.
|
||||
|
||||
Fixes: b2d09ae449ced ("apparmor: move ptrace checks to using labels")
|
||||
Reported-by: Cyrill Gorcunov <gorcunov@gmail.com>
|
||||
Reported-by: kernel test robot <rong.a.chen@intel.com>
|
||||
Signed-off-by: Jann Horn <jannh@google.com>
|
||||
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
||||
---
|
||||
security/apparmor/lsm.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
|
||||
index 2c842f24821b..d08aac05c65a 100644
|
||||
--- a/security/apparmor/lsm.c
|
||||
+++ b/security/apparmor/lsm.c
|
||||
@@ -132,11 +132,11 @@ static int apparmor_ptrace_traceme(struct task_struct *parent)
|
||||
struct aa_label *tracer, *tracee;
|
||||
int error;
|
||||
|
||||
- tracee = begin_current_label_crit_section();
|
||||
+ tracee = __begin_current_label_crit_section();
|
||||
tracer = aa_get_task_label(parent);
|
||||
error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
|
||||
aa_put_label(tracer);
|
||||
- end_current_label_crit_section(tracee);
|
||||
+ __end_current_label_crit_section(tracee);
|
||||
|
||||
return error;
|
||||
}
|
||||
--
|
||||
2.27.0
|
||||
|
|
@ -102,6 +102,7 @@ bugfix/all/mt76-use-the-correct-hweight8-function.patch
|
|||
bugfix/all/rtc-s35390a-set-uie_unsupported.patch
|
||||
bugfix/all/include-uapi-linux-swab.h-fix-userspace-breakage-use.patch
|
||||
bugfix/all/ALSA-pcm-oss-Place-the-plugin-buffer-overflow-checks.patch
|
||||
bugfix/all/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch
|
||||
|
||||
# Miscellaneous features
|
||||
|
||||
|
|
Loading…
Reference in New Issue