apparmor: fix dbus permission queries to v9 ABI

dbus permission queries need to be synced with fine grained unix mediation to avoid potential policy regressions. To ensure that dbus queries don't result in a case where fine grained unix mediation is not being applied but dbus mediation is check the loaded policy support ABI and abort the query if policy doesn't support the v9 ABI. Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2025-01-17 05:02:33 -0800
committer: John Johansen <john.johansen@canonical.com> 2025-01-18 06:47:13 -0800
commit: e6b087676954e36a7b1ed51249362bb499f8c1c2 (patch)
tree: d79f4c0f66dc4f0c4a9bb1435c4e26aa7f6270ef /security
parent: dcd7a559411e8e1cd627ad20ac70faee77329380 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index c5c756dda5cf..0b0e24cd4868 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -632,6 +632,14 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
 	} else if (rules->policy->dfa) {
 		if (!RULE_MEDIATES(rules, *match_str))
 			return;	/* no change to current perms */
+		/* old user space does not correctly detect dbus mediation
+		 * support so we may get dbus policy and requests when
+		 * the abi doesn't support it. This can cause mediation
+		 * regressions, so explicitly test for this situation.
+		 */
+		if (*match_str == AA_CLASS_DBUS &&
+		    !RULE_MEDIATES_v9NET(rules))
+			return; /* no change to current perms */
 		state = aa_dfa_match_len(rules->policy->dfa,
 					 rules->policy->start[0],
 					 match_str, match_len);
author	John Johansen <john.johansen@canonical.com>	2025-01-17 05:02:33 -0800
committer	John Johansen <john.johansen@canonical.com>	2025-01-18 06:47:13 -0800
commit	e6b087676954e36a7b1ed51249362bb499f8c1c2 (patch)
tree	d79f4c0f66dc4f0c4a9bb1435c4e26aa7f6270ef /security
parent	dcd7a559411e8e1cd627ad20ac70faee77329380 (diff)