[JAUNTY SRU] lp#395219 UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.
Amit Kucheria
amit.kucheria at canonical.com
Tue Jul 7 12:17:15 UTC 2009
On 09 Jul 06, Manoj Iyer wrote:
>
> SRU JUSTIFICATION
>
> IMPACT: kernel panics when SELinux is enabled.
> FIX: A non-upstream patch from Eric Paris fixes this issue specifically
> for Ubuntu.
> Ubuntu users were experiencing a kernel panic when they enabled SELinux
> due to an old bug in our handling of the compatibility mode network
> controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
> Most distros have not used the compat_net code since the new code was
> introduced and so noone has hit this problem before. Ubuntu is the only
> distro I know that enabled that legacy cruft by default. But, I was ask
> to look at it and found that the above patch changed a call to
> avc_has_perm from if(send_perm) to if(!send_perm) in
> selinux_ip_postroute_iptables_compat(). The result is that users who
> turn on SELinux and have compat_net set can (and oftern will) BUG() in
> avc_has_perm_noaudit since they are requesting 0 permissions.
>
> This patch corrects that accidental bug introduction.
>
> TEST: The test kernel in http://people.ubuntu.com/~manjo/lp395219-jaunty/
> was tested by the originator of the bug and reported to work.
>
> The following changes since commit
> ca7cfc6f93c0944a45bbe6f8f07b1028c664e3c2:
> Reinette Chatre (1):
> iwl3945: use cancel_delayed_work_sync to cancel rfkill_poll
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/manjo/ubuntu-jaunty.git lp395219
>
> Manoj Iyer (1):
> UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.
>
> security/selinux/hooks.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> From d09c656dc7c42f7f606d07fa64222d2c3222d4c7 Mon Sep 17 00:00:00 2001
> From: Manoj Iyer <manoj.iyer at canonical.com>
> Date: Sun, 5 Jul 2009 11:24:22 -0500
> Subject: [PATCH] UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.
>
> OriginalAuthor: Eric Paris <eparis at redhat.com>
>
> OriginalLocation: http://marc.info/?l=linux-kernel&m=124276951810932&w=2
>
> BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/395219
>
> Signed-off-by: Manoj Iyer <manoj.iyer at canonical.com>
> ---
> security/selinux/hooks.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f923577..02f3a16 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4558,7 +4558,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
> if (err)
> return err;
>
> - if (send_perm != 0)
> + if (!send_perm)
> return 0;
>
> err = sel_netport_sid(sk->sk_protocol,
> --
> 1.6.3.3
ACK.
--
----------------------------------------------------------------------
Amit Kucheria, Kernel Engineer || amit.kucheria at canonical.com
----------------------------------------------------------------------
More information about the kernel-team
mailing list