UBUNTU: SAUCE: apparmor4.0.0 [64/90]: prompt - allow profiles to set prompts as interruptible

BugLink: http://bugs.launchpad.net/bugs/2028253 Generally prompts can't be interruptible because there are too many applications that don't handle ERESTARTSYS correctly. This can lead to random failures that result in a very poor experience. However allowing upcalls to interruptible is very useful sometimes, especially with some debugging so provide away for policy to allow it. Signed-off-by: John Johansen <john.johansen@canonical.com> (cherry picked from https://gitlab.com/jjohansen/apparmor-kernel) Signed-off-by: Andrea Righi <andrea.righi@canonical.com> (cherry picked from commit a8d78d6106d8f3e6fff64137f29aaa42607eba2c https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2023-08-22 00:19:29 -07:00
parent c723113f3a
commit fdd1e4fe13
5 changed files with 17 additions and 2 deletions
@@ -2573,6 +2573,11 @@ static struct aa_sfs_entry aa_sfs_entry_versions[] = {
 	{ }
 };

+static struct aa_sfs_entry aa_sfs_entry_profile[] = {
+	AA_SFS_FILE_BOOLEAN("interruptible",		1),
+	{ }
+};
+
 #define PERMS32STR "allow deny subtree cond kill complain prompt audit quiet hide xindex tag label"
 static struct aa_sfs_entry aa_sfs_entry_policy[] = {
 	AA_SFS_DIR("versions",			aa_sfs_entry_versions),
@@ -90,7 +90,7 @@ enum label_flags {
 	FLAG_PROFILE = 0x200,		/* label is a profile */
 	FLAG_EXPLICIT = 0x400,		/* explicit static label */
 	FLAG_STALE = 0x800,		/* replaced/removed */
-	FLAG_RENAMED = 0x1000,		/* label has renaming in it */
+	FLAG_INTERRUPTIBLE = 0x1000,
 	FLAG_REVOKED = 0x2000,		/* label has revocation in it */
 	FLAG_DEBUG1 = 0x4000,
 	FLAG_DEBUG2 = 0x8000,
@@ -31,6 +31,7 @@ struct aa_load_ent *aa_load_ent_alloc(void);
 #define PACKED_FLAG_HAT		1
 #define PACKED_FLAG_DEBUG1	2
 #define PACKED_FLAG_DEBUG2	4
+#define PACKED_FLAG_INTERRUPTIBLE 8

 #define PACKED_MODE_ENFORCE	0
 #define PACKED_MODE_COMPLAIN	1
@@ -405,7 +405,14 @@ static int handle_synchronous_notif(struct aa_listener *listener,
 	long werr;
 	int err;

-	werr = wait_for_completion_interruptible_timeout(&knotif->ready, msecs_to_jiffies(60000));
+	if (knotif->ad->subj_label->flags & FLAG_INTERRUPTIBLE)
+		werr = wait_for_completion_interruptible_timeout(&knotif->ready,
+						 msecs_to_jiffies(60000));
+	else
+		/* do not use close to long jiffies so cast is safe */
+		werr = (long) wait_for_completion_timeout(&knotif->ready,
+						   msecs_to_jiffies(60000));
+	/* time out OR interrupt */
 	if (werr <= 0) {
 		/* ensure knotif is not on list because of early exit */
 		spin_lock(&listener->lock);
@@ -915,6 +915,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 		profile->label.flags |= FLAG_DEBUG1;
 	if (tmp & PACKED_FLAG_DEBUG2)
 		profile->label.flags |= FLAG_DEBUG2;
+	if (tmp & PACKED_FLAG_INTERRUPTIBLE)
+		profile->label.flags |= FLAG_INTERRUPTIBLE;
 	if (!aa_unpack_u32(e, &tmp, NULL))
 		goto fail;
 	if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {