apparmor: fix dbus permission queries to v9 ABI

dbus permission queries need to be synced with fine grained unix
mediation to avoid potential policy regressions. To ensure that
dbus queries don't result in a case where fine grained unix mediation
is not being applied but dbus mediation is check the loaded policy
support ABI and abort the query if policy doesn't support the
v9 ABI.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index c5c756dda5cf9e5324a1c2d2d33110009dc6616f..0b0e24cd4868425977648b850224238507cbc4b0 100644 (file)
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -632,6 +632,14 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
        } else if (rules->policy->dfa) {
                if (!RULE_MEDIATES(rules, *match_str))
                        return; /* no change to current perms */
+               /* old user space does not correctly detect dbus mediation
+                * support so we may get dbus policy and requests when
+                * the abi doesn't support it. This can cause mediation
+                * regressions, so explicitly test for this situation.
+                */
+               if (*match_str == AA_CLASS_DBUS &&
+                   !RULE_MEDIATES_v9NET(rules))
+                       return; /* no change to current perms */
                state = aa_dfa_match_len(rules->policy->dfa,
                                         rules->policy->start[0],
                                         match_str, match_len);