AppArmor does not correctly reenable kernel preemption
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
John Johansen | ||
Karmic |
Fix Released
|
Medium
|
Unassigned |
Bug Description
SRU Justification: Failing to put_cpu_var means that kernel preemption is disabled for the task. This will affect all confined processes that try to audit a capability message (so an process that has capability violation or is in learning mode and would have a capability violation).
The auditing code of capabilities, has a simple cache to reduce capability messages flooding the audit logs. Checking and updating the cache disables kernel preemption (via get_cpu_var). One potential exit path does not properly put the per cpu var, thus not reenabling preemption.
ent = &get_cpu_
if (sa->base.task == ent->task && cap_raised(
--------> needs put_cpu_
if (PROFILE_
return 0;
return sa->base.error;
} else {
ent->task = sa->base.task;
cap_raise(
}
put_cpu_
Changed in linux (Ubuntu): | |
assignee: | nobody → John Johansen (jjohansen) |
status: | New → In Progress |
description: | updated |
Changed in linux (Ubuntu Karmic): | |
importance: | Undecided → Medium |
status: | New → Fix Committed |
This bug was fixed in the package linux - 2.6.32-4.5
---------------
linux (2.6.32-4.5) lucid; urgency=low
[ Andy Whitcroft ]
* [Config] SERIO_LIBPS2 and SERIO_I8042 must match
* rebase to v2.6.32-rc7
* resync with Karmic proposed
[ John Johansen ]
* SAUCE: AppArmor: Fix oops after profile removal bprm_set_ creds
- LP: #475619
* SAUCE: AppArmor: Fix Oops when in apparmor_
- LP: #437258
* SAUCE: AppArmor: Fix cap audit_caching preemption disabling
- LP: #479102
* SAUCE: AppArmor: Fix refcounting bug causing leak of creds
- LP: #479115
* SAUCE: AppArmor: Fix oops there is no tracer and doing unsafe
transition.
- LP: #480112
[ Ubuntu Changes ]
* resync with Karmic proposed (ddbc670a86a3de e18541a3734149f 250ff307adf)
[ Upstream Kernel Changes ]
* rebase to v2.6.32-rc7
-- Andy Whitcroft <email address hidden> Fri, 13 Nov 2009 11:35:13 +0000