apparmor: fix absroot causing audited secids to begin with =

commit 256bf54a85a2a3ae8283e846fef20ecf20e72935 upstream.

AppArmor is prefixing secids that are converted to secctx with the =
to indicate the secctx should only be parsed from an absolute root
POV. This allows catching errors where secctx are reparsed back into
internal labels.

Unfortunately because audit is using secid to secctx conversion this
means that subject and object labels can result in a very unfortunate
== that can break audit parsing.

eg. the subj==unconfined term in the below audit message

type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'

Fix this by switch the prepending of = to a _. This still works as a
special character to flag this case without breaking audit. Also move
this check behind debug as it should not be needed during normal
operqation.

Fixes: 5dde5e43983e ("apparmor: add support for absolute root view based labels")
Reported-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index 7d27db740bc2f19fae390923ddd87334950c9004..ac5054899f6f4956199d7b9ac5e88b3f3c2523c9 100644 (file)
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -22,6 +22,11 @@
  */
 
 #define DEBUG_ON (aa_g_debug)
+/*
+ * split individual debug cases out in preparation for finer grained
+ * debug controls in the future.
+ */
+#define AA_DEBUG_LABEL DEBUG_ON
 #define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args)
 #define AA_DEBUG(fmt, args...)                                         \
        do {                                                            \

diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index 747a734a0824624d9a19da1a6501fb8fb3e6ca72..fab7fd0b19808604e6b2a445278220fccb0f4cf7 100644 (file)
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1637,9 +1637,9 @@ int aa_label_snxprint(char *str, size_t size, struct aa_ns *ns,
        AA_BUG(!str && size != 0);
        AA_BUG(!label);
 
-       if (flags & FLAG_ABS_ROOT) {
+       if (AA_DEBUG_LABEL && (flags & FLAG_ABS_ROOT)) {
                ns = root_ns;
-               len = snprintf(str, size, "=");
+               len = snprintf(str, size, "_");
                update_for_len(total, len, size, str);
        } else if (!ns) {
                ns = labels_ns(label);
@@ -1901,7 +1901,8 @@ struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str,
        AA_BUG(!str);
 
        str = skipn_spaces(str, n);
-       if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label))
+       if (str == NULL || (AA_DEBUG_LABEL && *str == '_' &&
+                           base != &root_ns->unconfined->label))
                return ERR_PTR(-EINVAL);
 
        len = label_count_strn_entries(str, end - str);