From 4afc61702bdcc3b9b519749ef966cf762a6e7051 Mon Sep 17 00:00:00 2001 From: Cengiz Can Date: Tue, 10 Feb 2026 11:17:14 +0300 Subject: [PATCH 01/10] apparmor: use target task's context in apparmor_getprocattr() apparmor_getprocattr() incorrectly calls task_ctx(current) instead of task_ctx(task) when retrieving prev and exec attributes, returning the caller's labels rather than the target's. Fix by passing task to task_ctx(). The issue can be reproduced when a process with an onexec transition (e.g., configured by a container runtime) is inspected via /proc//attr/apparmor/exec. The reader's own value is returned instead of the target's. Reported-by: Qualys Security Advisory Fixes: 3b529a7600d8 ("apparmor: move task domain change info to task security") Cc: stable@vger.kernel.org Co-developed-by: Cengiz Can Signed-off-by: Cengiz Can Co-developed-by: John Johansen Signed-off-by: John Johansen --- security/apparmor/lsm.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index c1d42fc72fdb..d3af2d10fc22 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -822,25 +822,23 @@ static int apparmor_getprocattr(struct task_struct *task, const char *name, char **value) { int error = -ENOENT; - /* released below */ - const struct cred *cred = get_task_cred(task); - struct aa_task_ctx *ctx = task_ctx(current); struct aa_label *label = NULL; + rcu_read_lock(); if (strcmp(name, "current") == 0) - label = aa_get_newest_label(cred_label(cred)); - else if (strcmp(name, "prev") == 0 && ctx->previous) - label = aa_get_newest_label(ctx->previous); - else if (strcmp(name, "exec") == 0 && ctx->onexec) - label = aa_get_newest_label(ctx->onexec); + label = aa_get_newest_cred_label(__task_cred(task)); + else if (strcmp(name, "prev") == 0 && task_ctx(task)->previous) + label = aa_get_newest_label(task_ctx(task)->previous); + else if (strcmp(name, "exec") == 0 && task_ctx(task)->onexec) + label = aa_get_newest_label(task_ctx(task)->onexec); else error = -EINVAL; + rcu_read_unlock(); if (label) error = aa_getprocattr(label, value, true); aa_put_label(label); - put_cred(cred); return error; } From 8813837aa7f5f5a262a5ebc1a1a2a3a5ec818c70 Mon Sep 17 00:00:00 2001 From: Massimiliano Pellizzer Date: Tue, 20 Jan 2026 15:24:05 +0100 Subject: [PATCH 02/10] apparmor: return error on namespace mismatch in verify_header When profiles in a multi-profile load specify different namesapaces, the audit record is generated but execution continues, causing the function to return success. This violates the load requirement that all profiles must target the same namespace. Add the missing return statement after auditing the error. Reported-by: Qualys Security Advisory Fixes: dd51c8485763 ("apparmor: provide base for multiple profiles to be replaced at once") Signed-off-by: Massimiliano Pellizzer Signed-off-by: John Johansen --- security/apparmor/policy_unpack.c | 1 + 1 file changed, 1 insertion(+) diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 1769417a9962..ff517bc7e275 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -1440,6 +1440,7 @@ static int verify_header(struct aa_ext *e, int required, const char **ns) if (*ns && strcmp(*ns, name)) { audit_iface(NULL, NULL, NULL, "invalid ns change", e, error); + return error; } else if (!*ns) { *ns = kstrdup(name, GFP_KERNEL); if (!*ns) From 46401cc99c6237ba825cfd65ef023955ce2a6316 Mon Sep 17 00:00:00 2001 From: Thorsten Blum Date: Sun, 25 Jan 2026 22:00:15 +0100 Subject: [PATCH 03/10] apparmor: Replace memcpy + NUL termination with kmemdup_nul in do_setattr Use kmemdup_nul() to copy 'value' instead of using memcpy() followed by a manual NUL termination. No functional changes. Reviewed-by: Serge Hallyn Signed-off-by: Thorsten Blum Signed-off-by: John Johansen --- security/apparmor/lsm.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index d3af2d10fc22..553f4127d59f 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -856,12 +856,9 @@ static int do_setattr(u64 attr, void *value, size_t size) /* AppArmor requires that the buffer must be null terminated atm */ if (args[size - 1] != '\0') { - /* null terminate */ - largs = args = kmalloc(size + 1, GFP_KERNEL); + largs = args = kmemdup_nul(value, size, GFP_KERNEL); if (!args) return -ENOMEM; - memcpy(args, value, size); - args[size] = '\0'; } error = -EINVAL; From e6a522c5b4803b8f5632d5ce8f27431a1ae73222 Mon Sep 17 00:00:00 2001 From: Thorsten Blum Date: Wed, 4 Feb 2026 23:07:35 +0100 Subject: [PATCH 04/10] apparmor: Remove redundant if check in sk_peer_get_label Remove the redundant if check in sk_peer_get_label() and return ERR_PTR(-ENOPROTOOPT) directly. Signed-off-by: Thorsten Blum Signed-off-by: John Johansen --- security/apparmor/lsm.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 553f4127d59f..6f15b968a32a 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1523,15 +1523,11 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) static struct aa_label *sk_peer_get_label(struct sock *sk) { struct aa_sk_ctx *ctx = aa_sock(sk); - struct aa_label *label = ERR_PTR(-ENOPROTOOPT); if (rcu_access_pointer(ctx->peer)) return aa_get_label_rcu(&ctx->peer); - if (sk->sk_family != PF_UNIX) - return ERR_PTR(-ENOPROTOOPT); - - return label; + return ERR_PTR(-ENOPROTOOPT); } /** From 497ad4be355b70a6786dd9344710d98b14b92848 Mon Sep 17 00:00:00 2001 From: Thorsten Blum Date: Sun, 22 Feb 2026 22:40:38 +0100 Subject: [PATCH 05/10] apparmor: Use sysfs_emit in param_get_{audit,mode} Replace sprintf() with sysfs_emit() in param_get_audit() and param_get_mode(). sysfs_emit() is preferred for formatting sysfs output because it provides safer bounds checking. Add terminating newlines as suggested by checkpatch. Signed-off-by: Thorsten Blum Signed-off-by: John Johansen --- security/apparmor/lsm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 6f15b968a32a..49b5e4f32983 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -2064,7 +2065,7 @@ static int param_get_audit(char *buffer, const struct kernel_param *kp) return -EINVAL; if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) return -EPERM; - return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); + return sysfs_emit(buffer, "%s\n", audit_mode_names[aa_g_audit]); } static int param_set_audit(const char *val, const struct kernel_param *kp) @@ -2092,8 +2093,7 @@ static int param_get_mode(char *buffer, const struct kernel_param *kp) return -EINVAL; if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) return -EPERM; - - return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); + return sysfs_emit(buffer, "%s\n", aa_profile_mode_names[aa_g_profile_mode]); } static int param_set_mode(const char *val, const struct kernel_param *kp) From f17b68f0c33ff184713c356cd024035d437bac8c Mon Sep 17 00:00:00 2001 From: John Johansen Date: Wed, 4 Mar 2026 19:24:01 -0700 Subject: [PATCH 06/10] apparmor: fix dfa size check AppArmor dfas need a minimum of two states to be valid. State 0 is the default trap state, and State 1 the default start state. When verifying the dfa ensure that this is the case. Fixes: c27c6bd2c4d6b ("apparmor: ensure that dfa state tables have entries") Signed-off-by: John Johansen --- security/apparmor/match.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/match.c b/security/apparmor/match.c index 8fa0a1494acd..4704b5904b15 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -157,7 +157,7 @@ static int verify_dfa(struct aa_dfa *dfa) state_count = dfa->tables[YYTD_ID_BASE]->td_lolen; trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen; - if (state_count == 0) + if (state_count < 2) goto out; for (i = 0; i < state_count; i++) { if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) && From 72971e6f745ad5c366629b0affbe3a6b619dcd8b Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 13 Apr 2026 19:56:26 -0700 Subject: [PATCH 07/10] apparmor: fix unpack_tags to properly return error in failure cases error is initialized to -EPROTO but set by some of the internal functions, unfortunately the last two checks assume error is set to -EPROTO already for the failure case. Ensure it is by setting it before these checks. Fixes: 3d28e2397af7a ("apparmor: add support loading per permission tagging") Reported-by: Dan Carpenter Signed-off-by: John Johansen --- security/apparmor/policy_unpack.c | 1 + 1 file changed, 1 insertion(+) diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index ff517bc7e275..dd445c25f8e9 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -863,6 +863,7 @@ static int unpack_tags(struct aa_ext *e, struct aa_tags_struct *tags, *info = "failed to unpack profile tag.sets"; goto fail; } + error = -EPROTO; if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) goto fail; From ef78fdc4724190fbd4e66d80bcdf4d08045f5e98 Mon Sep 17 00:00:00 2001 From: Dudu Lu Date: Mon, 13 Apr 2026 17:03:13 +0800 Subject: [PATCH 08/10] apparmor: Fix wrong dentry in RENAME_EXCHANGE uid check In apparmor_path_rename(), when handling RENAME_EXCHANGE, the cond_exchange structure is supposed to carry the attributes of the *new* dentry (since it is used to authorize moving new_dentry to the old location). However, line 412 reads: vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry)); This fetches the uid of old_dentry instead of new_dentry. As a result, the RENAME_EXCHANGE permission check uses the wrong file owner, which can allow a rename that should be denied (if old_dentry's owner has more privileges) or deny one that should be allowed. Note that cond_exchange.mode on the line above correctly uses new_dentry. Only the uid lookup is wrong. Fix by changing old_dentry to new_dentry in the i_uid_into_vfsuid call. Fixes: 5e26a01e56fd ("apparmor: use type safe idmapping helpers") Reviewed-by: Georgia Garcia Signed-off-by: Dudu Lu Signed-off-by: John Johansen --- security/apparmor/lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 49b5e4f32983..467f7ac476aa 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -410,7 +410,7 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d struct path_cond cond_exchange = { .mode = d_backing_inode(new_dentry)->i_mode, }; - vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry)); + vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(new_dentry)); cond_exchange.uid = vfsuid_into_kuid(vfsuid); error = aa_path_perm(OP_RENAME_SRC, current_cred(), From 828bf7929bedcb79b560b5b4e44f22abee07d31b Mon Sep 17 00:00:00 2001 From: Daniel J Blueman Date: Fri, 27 Mar 2026 19:58:32 +0800 Subject: [PATCH 09/10] apparmor: Fix string overrun due to missing termination When booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm Snapdragon X1 we see a string buffer overrun: BUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535) Read of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120 CPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025 Call trace: show_stack (arch/arm64/kernel/stacktrace.c:501) (C) dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) __asan_report_load1_noabort (mm/kasan/report_generic.c:378) aa_dfa_match (security/apparmor/match.c:535) match_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336) match_mnt (security/apparmor/mount.c:371) aa_bind_mount (security/apparmor/mount.c:447 (discriminator 4)) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596) Allocated by task 2120: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79) kasan_save_alloc_info (mm/kasan/generic.c:571) __kasan_kmalloc (mm/kasan/common.c:419) __kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272) aa_get_buffer (security/apparmor/lsm.c:2201) aa_bind_mount (security/apparmor/mount.c:442) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596) The buggy address belongs to the object at ffff0008901ca000 which belongs to the cache kmalloc-rnd-06-8k of size 8192 The buggy address is located 0 bytes to the right of allocated 8192-byte region [ffff0008901ca000, ffff0008901cc000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0 flags: 0x8000000000000040(head|zone=2) page_type: f5(slab) raw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 raw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 head: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008901cbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0008901cc000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff0008901cc080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0008901cc100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc This was introduced by previous incorrect conversion from strcpy(). Fix it by adding the missing terminator. Cc: stable@vger.kernel.org Reviewed-by: Georgia Garcia Signed-off-by: Daniel J Blueman Fixes: 93d4dbdc8da0 ("apparmor: Replace deprecated strcpy in d_namespace_path") Signed-off-by: John Johansen --- security/apparmor/path.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/security/apparmor/path.c b/security/apparmor/path.c index 65a0ca5cc1bd..2494e8101538 100644 --- a/security/apparmor/path.c +++ b/security/apparmor/path.c @@ -164,14 +164,16 @@ static int d_namespace_path(const struct path *path, char *buf, char **name, } out: - /* Append "/" to directory paths, except for root "/" which - * already ends in a slash. + /* Append "/" to directory paths and reterminate string, except for + * root "/" which already ends in a slash. */ if (!error && isdir) { bool is_root = (*name)[0] == '/' && (*name)[1] == '\0'; - if (!is_root) + if (!is_root) { buf[aa_g_path_max - 2] = '/'; + buf[aa_g_path_max - 1] = '\0'; + } } return error; From 11b7df0952663f20ce72c9a22a3cf9278cf84db7 Mon Sep 17 00:00:00 2001 From: GONG Ruiqi Date: Thu, 23 Apr 2026 11:10:56 +0800 Subject: [PATCH 10/10] apparmor/lsm: Fix aa_dfa_unpack's error handling in aa_setup_dfa_engine aa_dfa_unpack returns ERR_PTR not NULL when it fails, but aa_put_dfa only checks NULL for its input, which would cause invalid memory access in aa_put_dfa. Set nulldfa to NULL explicitly to fix that. Fixes: 98b824ff8984 ("apparmor: refcount the pdb") Signed-off-by: GONG Ruiqi Signed-off-by: John Johansen --- security/apparmor/lsm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 467f7ac476aa..3491e9f60194 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -2456,6 +2456,7 @@ static int __init aa_setup_dfa_engine(void) TO_ACCEPT2_FLAG(YYTD_DATA32)); if (IS_ERR(nulldfa)) { error = PTR_ERR(nulldfa); + nulldfa = NULL; goto fail; } nullpdb->dfa = aa_get_dfa(nulldfa);