[JAUNTY SRU] lp#395219 UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

Tim Gardner tim.gardner at canonical.com
Tue Jul 7 11:14:16 UTC 2009 

Manoj Iyer wrote:
> SRU JUSTIFICATION
> 
> IMPACT: kernel panics when SELinux is enabled.
> FIX: A non-upstream patch from Eric Paris fixes this issue specifically 
> for Ubuntu.
> Ubuntu users were experiencing a kernel panic when they enabled SELinux
> due to an old bug in our handling of the compatibility mode network
> controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
> Most distros have not used the compat_net code since the new code was
> introduced and so noone has hit this problem before.  Ubuntu is the only
> distro I know that enabled that legacy cruft by default.  But, I was ask
> to look at it and found that the above patch changed a call to
> avc_has_perm from if(send_perm) to if(!send_perm) in
> selinux_ip_postroute_iptables_compat().  The result is that users who
> turn on SELinux and have compat_net set can (and oftern will) BUG() in
> avc_has_perm_noaudit since they are requesting 0 permissions.
> 
> This patch corrects that accidental bug introduction.
> 
> TEST: The test kernel in http://people.ubuntu.com/~manjo/lp395219-jaunty/ 
> was tested by the originator of the bug and reported to work.
> 
> The following changes since commit 
> ca7cfc6f93c0944a45bbe6f8f07b1028c664e3c2:
>    Reinette Chatre (1):
>          iwl3945: use cancel_delayed_work_sync to cancel rfkill_poll
> 
> are available in the git repository at:
> 
>    git://kernel.ubuntu.com/manjo/ubuntu-jaunty.git lp395219
> 
> Manoj Iyer (1):
>        UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.
> 
>   security/selinux/hooks.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
> 
> From d09c656dc7c42f7f606d07fa64222d2c3222d4c7 Mon Sep 17 00:00:00 2001
> From: Manoj Iyer <manoj.iyer at canonical.com>
> Date: Sun, 5 Jul 2009 11:24:22 -0500
> Subject: [PATCH] UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.
> 
> OriginalAuthor: Eric Paris <eparis at redhat.com>
> 
> OriginalLocation: http://marc.info/?l=linux-kernel&m=124276951810932&w=2
> 
> BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/395219
> 
> Signed-off-by: Manoj Iyer <manoj.iyer at canonical.com>
> ---
>   security/selinux/hooks.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f923577..02f3a16 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4558,7 +4558,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
>   	if (err)
>   		return err;
> 
> -	if (send_perm != 0)
> +	if (!send_perm)
>   		return 0;
> 
>   	err = sel_netport_sid(sk->sk_protocol,

ACK

-- 
Tim Gardner tim.gardner at canonical.com

More information about the kernel-team mailing list