Bug 1000304

Summary: several AppArmor kernel fixes / patches
Product: [openSUSE] openSUSE Tumbleweed Reporter: Christian Boltz <suse-beta>
Component: KernelAssignee: Jeff Mahoney <jeffm>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: mkubecek, tiwai
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 13.2   
Whiteboard:
Found By: Beta-Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Christian Boltz 2016-09-21 22:22:32 UTC 
Several AppArmor-related fixes went into kernel 4.8. You might want to backport them to older kernel versions like the Leap and SLE kernels.

For the details, let me just quote from #apparmor:

<jjohansen> git format-patch 3ccee46ab487d5b87d0621824efe2500b2857c58..7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 security/apparmor
<jjohansen> on the current upstream tree will give the full set of patches that went into 4.8
<jjohansen> this did not include the change_hat patch which will go up in 4.9
  [see bug 1000287 for the change_hat patch]
<jjohansen> s/go up/be in/
<jjohansen> cboltz: I think that reference will work very well for the suse kt as it shows that these are patches that are in upstream
<jjohansen> cboltz: however there is a need for them to drop some of their own out of tree patches
<jjohansen> cboltz: I can try again to build an obs kernel, but it is a pita
<jjohansen> the suse kernel really requires a suse env to properly unpack and set up the patch queues and refresh the patches and set the configs
<jjohansen> simple patches you can often get away with just adding them to the tar and updating the series file
<jjohansen> but it does not work with this series
<cboltz> sounds like someone @suse should do it ;-)
<cboltz> are the patches easy to backport, or should I also add a pointer to the bzr kernel-patches directory?
<jjohansen> cboltz it looks like git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor v4.4-aa2.8-out-of-tree
<jjohansen> has the full set plus a few fixes from 4.5,4.6
Comment 1 Michal Kubeček 2016-09-22 08:15:03 UTC 
> 3ccee46ab487d5b87d0621824efe2500b2857c58..7616ac70d1bb4f2e9d25c1a82d283f3368a7b632

That would be (oldest to newest)

> dcda617a0c51 apparmor: fix refcount bug in profile replacement
> ec34fa24a934 apparmor: fix replacement bug that adds new child to old parent
> b6b1b81b3afb apparmor: fix uninitialized lsm_audit member
> 9049a7922124 apparmor: exec should not be returning ENOENT when it denies
> d671e890205a apparmor: fix update the mtime of the profile file on replacement
> f2e561d190da apparmor: fix disconnected bind mnts reconnection
> bd35db8b8ca6 apparmor: internal paths should be treated as disconnected
> 6059f71f1e94 apparmor: add parameter to control whether policy hashing is used
> f351841f8d41 apparmor: fix put() parent ref after updating the active ref
> bf15cf0c641b apparmor: fix log failures for all profiles in a set
> 7ee6da25dcce apparmor: fix audit full profile hname on successful load
> f7da2de01127 apparmor: ensure the target profile name is always audited
> 23ca7b640b4a apparmor: check that xindex is in trans_table bounds
> 0b938a2e2cf0 apparmor: fix ref count leak when profile sha1 hash is read
> de7c4cc947f9 apparmor: fix refcount race when finding a child profile
> 38dbd7d8be36 apparmor: use list_next_entry instead of list_entry_next
> ff118479a76d apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task
> 15756178c6a6 apparmor: add missing id bounds check on dfa verification
> 3197f5adf539 apparmor: don't check for vmalloc_addr if kvzalloc() failed
> 5f20fdfed16b apparmor: fix oops in profile_unpack() when policy_db is not present
> 58acf9d911c8 apparmor: fix module parameters can be changed after policy is locked
> f4ee2def2d70 apparmor: do not expose kernel stack
> e89b8081327a apparmor: fix oops, validate buffer size in apparmor_setprocattr()
> d4d03f74a73f apparmor: fix arg_size computation for when setprocattr is null terminated
> 7616ac70d1bb apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling

All apply cleanly to SLE12-SP1 except three:

  * b6b1b81b3afb needs some changes due to missing 61e3fb8acaea
      ("apparmor: remove tsk field from the apparmor_audit_struct")
  * ff118479a76d is already in SLE12-SP1
  * 0b938a2e2cf0 just came with 3.12.63

The result builds but someone familiar with the code should take a look.

Also, opening this for Tumbleweed doesn't make much sense as Tumbleweed
is going to get these fixes with 4.8 soon anyway.
Comment 2 Takashi Iwai 2016-09-22 11:41:40 UTC 
We need these patches for SLE12-SP2 / openSUSE-42.2 as well.
Comment 3 Takashi Iwai 2016-09-22 11:45:52 UTC 
(In reply to Takashi Iwai from comment #2)
> We need these patches for SLE12-SP2 / openSUSE-42.2 as well.

Like SLE12-SP1, the patches (except for two that are already in stable 4.4.x) are applied cleanly to SLE12-SP2, but we need to drop patches.fixes/apparmor-initialize-common_audit_data.patch beforehand.  I guess the latter patches becomes superfluous with this patchset.
Comment 4 Takashi Iwai 2016-09-27 06:59:44 UTC 
I checked through patches:

- 6059f71f1e94 and 7616ac70d1bb can be dropped.
  These add just a new Kconfig and a new module option, and we use the default in anyway.

- e89b8081327a and d4d03f74a73f can be dropped.
  These are fixes for bb646cdb12e75d82258c2f2e7746d5952d3e321a, and it's since 4.5 kernel.
Comment 5 Takashi Iwai 2016-09-27 07:26:55 UTC 
Now I merged the patches to SLE12-SP2-update and openSUSE-42.2 branches.
Comment 6 Takashi Iwai 2016-09-27 07:43:13 UTC 
Also I merged to openSUSE-42.1 branch.
Comment 7 Swamp Workflow Management 2016-10-21 15:09:12 UTC 
openSUSE-SU-2016:2583-1: An update that solves four vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 1000287,1000304,1000907,1001462,1001486,1004418,1004462,1005101,799133,881008,909994,911687,922634,963655,972460,978094,979681,987703,991247,991665,993890,993891,996664,999600,999932
CVE References: CVE-2016-5195,CVE-2016-7039,CVE-2016-7425,CVE-2016-8658
Sources used:
openSUSE Leap 42.1 (src):    drbd-8.4.6-10.1, hdjmod-1.28-26.1, ipset-6.25.1-7.1, kernel-debug-4.1.34-33.1, kernel-default-4.1.34-33.1, kernel-docs-4.1.34-33.3, kernel-ec2-4.1.34-33.1, kernel-obs-build-4.1.34-33.1, kernel-obs-qa-4.1.34-33.1, kernel-obs-qa-xen-4.1.34-33.1, kernel-pae-4.1.34-33.1, kernel-pv-4.1.34-33.1, kernel-source-4.1.34-33.1, kernel-syms-4.1.34-33.1, kernel-vanilla-4.1.34-33.1, kernel-xen-4.1.34-33.1, lttng-modules-2.7.0-4.1, pcfclock-0.44-268.1, vhba-kmp-20140928-7.1
Comment 8 Jeff Mahoney 2016-11-04 20:04:10 UTC 
Merged to the SLE12-SP1 branch.

That should do it.
Comment 9 Swamp Workflow Management 2016-11-25 16:08:15 UTC 
SUSE-SU-2016:2912-1: An update that solves 11 vulnerabilities and has 111 fixes is now available.

Category: security (important)
Bug References: 1000189,1000287,1000304,1000776,1001419,1001486,1002165,1003079,1003153,1003400,1003568,1003866,1003925,1003964,1004252,1004462,1004517,1004520,1005666,1006691,1007615,1007886,744692,772786,789311,857397,860441,865545,866130,868923,874131,876463,898675,904489,909994,911687,915183,921338,921784,922064,922634,924381,924384,930399,931454,934067,937086,937888,940545,941420,946309,955446,956514,959463,961257,962846,966864,967640,970943,971975,971989,974406,974620,975596,975772,976195,977687,978094,979451,979928,982783,983619,984194,984419,984779,984992,985562,986445,987192,987333,987542,987565,987621,987805,988440,988617,988715,989152,989953,990245,991247,991608,991665,992244,992555,992591,992593,992712,993392,993841,993890,993891,994296,994438,994520,994748,995153,995968,996664,997059,997299,997708,997896,998689,998795,998825,999577,999584,999600,999779,999907,999932
CVE References: CVE-2015-8956,CVE-2016-5696,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-8658,CVE-2016-8666
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.67-60.64.18.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.67-60.64.18.3, kernel-obs-build-3.12.67-60.64.18.1
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.67-60.64.18.1, kernel-source-3.12.67-60.64.18.1, kernel-syms-3.12.67-60.64.18.1, kernel-xen-3.12.67-60.64.18.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.67-60.64.18.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_9-1-6.3
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.67-60.64.18.1, kernel-source-3.12.67-60.64.18.1, kernel-syms-3.12.67-60.64.18.1, kernel-xen-3.12.67-60.64.18.1
Comment 10 Swamp Workflow Management 2016-12-06 12:09:23 UTC 
openSUSE-SU-2016:3021-1: An update that solves 12 vulnerabilities and has 118 fixes is now available.

Category: security (important)
Bug References: 1000189,1000287,1000304,1000776,1001419,1001486,1002165,1003079,1003153,1003400,1003568,1003866,1003925,1004252,1004418,1004462,1004517,1004520,1005666,1006691,1007615,1007886,744692,772786,789311,799133,857397,860441,865545,866130,868923,874131,875631,876145,876463,898675,904489,909994,911687,915183,921338,921784,922064,922634,924381,924384,930399,931454,934067,937086,937888,940545,941420,946309,954986,955446,956514,959463,961257,962846,963655,963767,966864,967640,970943,971975,971989,974406,974620,975596,975772,976195,977687,978094,979451,979681,979928,982783,983619,984194,984419,984779,984992,985562,986445,987192,987333,987542,987565,987621,987805,988440,988617,988715,989152,989953,990245,991247,991608,991665,992244,992555,992591,992593,992712,993392,993841,993890,993891,994296,994438,994520,994748,994758,995153,995968,996664,997059,997299,997708,997896,998689,998795,998825,999577,999584,999600,999779,999907,999932
CVE References: CVE-2013-5634,CVE-2015-8956,CVE-2016-2069,CVE-2016-5696,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-8658
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.36.1, crash-7.0.2-2.36.1, hdjmod-1.28-16.36.1, ipset-6.21.1-2.40.1, iscsitarget-1.4.20.3-13.36.1, kernel-debug-3.12.67-58.1, kernel-default-3.12.67-58.1, kernel-desktop-3.12.67-58.1, kernel-docs-3.12.67-58.2, kernel-ec2-3.12.67-58.1, kernel-pae-3.12.67-58.1, kernel-source-3.12.67-58.1, kernel-syms-3.12.67-58.1, kernel-trace-3.12.67-58.1, kernel-vanilla-3.12.67-58.1, kernel-xen-3.12.67-58.1, ndiswrapper-1.58-37.1, openvswitch-1.11.0-0.43.1, pcfclock-0.44-258.37.1, vhba-kmp-20130607-2.36.1, virtualbox-4.2.36-2.68.1, xen-4.3.4_10-69.1, xtables-addons-2.3-2.35.1
Comment 11 Swamp Workflow Management 2016-12-30 17:10:15 UTC 
SUSE-SU-2016:3304-1: An update that solves 13 vulnerabilities and has 118 fixes is now available.

Category: security (important)
Bug References: 1000189,1000287,1000304,1000776,1001419,1001486,1002165,1003079,1003153,1003400,1003568,1003925,1004252,1004418,1004462,1004517,1004520,1005666,1006691,1007615,1007886,744692,789311,857397,860441,865545,866130,868923,874131,875631,876145,876463,898675,904489,909994,911687,915183,921338,921784,922064,922634,924381,924384,930399,934067,937086,937888,941420,946309,955446,956514,959463,961257,962846,963655,963767,966864,967640,970943,971975,971989,974406,974620,975596,975772,976195,977687,978094,979451,979681,979928,980371,981597,982783,983619,984194,984419,984779,984992,985562,986362,986365,986445,987192,987333,987542,987565,987621,987805,988440,988617,988715,989152,989953,990058,990245,991247,991608,991665,991667,992244,992555,992568,992591,992593,992712,993392,993841,993890,993891,994167,994296,994438,994520,994758,995153,995968,996664,997059,997299,997708,997896,998689,998795,998825,999577,999584,999600,999779,999907,999932
CVE References: CVE-2015-8956,CVE-2016-2069,CVE-2016-4998,CVE-2016-5195,CVE-2016-5696,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-8658
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP1 (src):    kernel-compute-3.12.67-60.27.1, kernel-compute_debug-3.12.67-60.27.1, kernel-rt-3.12.67-60.27.1, kernel-rt_debug-3.12.67-60.27.1, kernel-source-rt-3.12.67-60.27.1, kernel-syms-rt-3.12.67-60.27.1
Comment 12 Swamp Workflow Management 2017-01-17 18:12:46 UTC 
SUSE-SU-2017:0181-1: An update that solves 13 vulnerabilities and has 127 fixes is now available.

Category: security (important)
Bug References: 1000118,1000189,1000287,1000304,1000433,1000776,1001169,1001171,1001310,1001462,1001486,1001888,1002322,1002770,1002786,1003068,1003566,1003581,1003606,1003813,1003866,1003964,1004048,1004052,1004252,1004365,1004517,1005169,1005327,1005545,1005666,1005745,1005895,1005917,1005921,1005923,1005925,1005929,1006103,1006175,1006267,1006528,1006576,1006804,1006809,1006827,1006915,1006918,1007197,1007615,1007653,1007955,1008557,1008979,1009062,1009969,1010040,1010158,1010444,1010478,1010507,1010665,1010690,1010970,1011176,1011250,1011913,1012060,1012094,1012452,1012767,1012829,1012992,1013001,1013479,1013531,1013700,1014120,1014392,1014701,1014710,1015212,1015359,1015367,1015416,799133,914939,922634,963609,963655,963904,964462,966170,966172,966186,966191,966316,966318,966325,966471,969474,969475,969476,969477,969756,971975,971989,972993,974313,974842,974843,978907,979378,979681,981825,983087,983152,983318,985850,986255,986987,987641,987703,987805,988524,988715,990384,992555,993739,993841,993891,994881,995278,997059,997639,997807,998054,998689,999907,999932
CVE References: CVE-2015-1350,CVE-2015-8964,CVE-2016-7039,CVE-2016-7042,CVE-2016-7425,CVE-2016-7913,CVE-2016-7917,CVE-2016-8645,CVE-2016-8666,CVE-2016-9083,CVE-2016-9084,CVE-2016-9793,CVE-2016-9919
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.38-93.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.38-93.3, kernel-obs-build-4.4.38-93.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_4-1-2.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.38-93.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
Comment 13 Jeff Mahoney 2017-02-10 14:30:25 UTC 
Patches merged into release branches.  Closing as fixed.