apparmor: fix absroot causing audited secids to begin with =
stable inclusion from stable-v5.10.138 commit 08f8128bc9f2b4489e8dd84b91cb69abc0b9c963 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I60QFD Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=08f8128bc9f2b4489e8dd84b91cb69abc0b9c963 -------------------------------- commit 511f7b5b upstream. AppArmor is prefixing secids that are converted to secctx with the = to indicate the secctx should only be parsed from an absolute root POV. This allows catching errors where secctx are reparsed back into internal labels. Unfortunately because audit is using secid to secctx conversion this means that subject and object labels can result in a very unfortunate == that can break audit parsing. eg. the subj==unconfined term in the below audit message type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000 ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success' Fix this by switch the prepending of = to a _. This still works as a special character to flag this case without breaking audit. Also move this check behind debug as it should not be needed during normal operqation. Fixes: 26b78995 ("apparmor: add support for absolute root view based labels") Reported-by:Casey Schaufler <casey@schaufler-ca.com> Signed-off-by:
Loading
Please sign in to comment