[JAUNTY SRU] lp#395219 UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

Manoj Iyer manoj.iyer at canonical.com
Mon Jul 6 17:31:42 UTC 2009 

SRU JUSTIFICATION

IMPACT: kernel panics when SELinux is enabled.
FIX: A non-upstream patch from Eric Paris fixes this issue specifically 
for Ubuntu.
Ubuntu users were experiencing a kernel panic when they enabled SELinux
due to an old bug in our handling of the compatibility mode network
controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
Most distros have not used the compat_net code since the new code was
introduced and so noone has hit this problem before.  Ubuntu is the only
distro I know that enabled that legacy cruft by default.  But, I was ask
to look at it and found that the above patch changed a call to
avc_has_perm from if(send_perm) to if(!send_perm) in
selinux_ip_postroute_iptables_compat().  The result is that users who
turn on SELinux and have compat_net set can (and oftern will) BUG() in
avc_has_perm_noaudit since they are requesting 0 permissions.

This patch corrects that accidental bug introduction.

TEST: The test kernel in http://people.ubuntu.com/~manjo/lp395219-jaunty/ 
was tested by the originator of the bug and reported to work.

The following changes since commit 
ca7cfc6f93c0944a45bbe6f8f07b1028c664e3c2:
   Reinette Chatre (1):
         iwl3945: use cancel_delayed_work_sync to cancel rfkill_poll

are available in the git repository at:

   git://kernel.ubuntu.com/manjo/ubuntu-jaunty.git lp395219

Manoj Iyer (1):
       UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

  security/selinux/hooks.c |    2 +-
  1 files changed, 1 insertions(+), 1 deletions(-)

>From d09c656dc7c42f7f606d07fa64222d2c3222d4c7 Mon Sep 17 00:00:00 2001
From: Manoj Iyer <manoj.iyer at canonical.com>
Date: Sun, 5 Jul 2009 11:24:22 -0500
Subject: [PATCH] UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

OriginalAuthor: Eric Paris <eparis at redhat.com>

OriginalLocation: http://marc.info/?l=linux-kernel&m=124276951810932&w=2

BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/395219

Signed-off-by: Manoj Iyer <manoj.iyer at canonical.com>
---
  security/selinux/hooks.c |    2 +-
  1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f923577..02f3a16 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4558,7 +4558,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
  	if (err)
  		return err;

-	if (send_perm != 0)
+	if (!send_perm)
  		return 0;

  	err = sel_netport_sid(sk->sk_protocol,
-- 
1.6.3.3


Cheers
--- manjo

More information about the kernel-team mailing list