From: John Johansen <john.johansen@canonical.com>
Date: Fri, 17 Jan 2025 13:02:33 +0000 (-0800)
Subject: apparmor: fix dbus permission queries to v9 ABI
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6b087676954e36a7b1ed51249362bb499f8c1c2;p=thirdparty%2Fkernel%2Flinux.git

apparmor: fix dbus permission queries to v9 ABI

dbus permission queries need to be synced with fine grained unix
mediation to avoid potential policy regressions. To ensure that
dbus queries don't result in a case where fine grained unix mediation
is not being applied but dbus mediation is check the loaded policy
support ABI and abort the query if policy doesn't support the
v9 ABI.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index c5c756dda5cf9..0b0e24cd48684 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -632,6 +632,14 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
 	} else if (rules->policy->dfa) {
 		if (!RULE_MEDIATES(rules, *match_str))
 			return;	/* no change to current perms */
+		/* old user space does not correctly detect dbus mediation
+		 * support so we may get dbus policy and requests when
+		 * the abi doesn't support it. This can cause mediation
+		 * regressions, so explicitly test for this situation.
+		 */
+		if (*match_str == AA_CLASS_DBUS &&
+		    !RULE_MEDIATES_v9NET(rules))
+			return; /* no change to current perms */
 		state = aa_dfa_match_len(rules->policy->dfa,
 					 rules->policy->start[0],
 					 match_str, match_len);