security/apparmor/policy_unpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
The unpack_secmark() function currently uses kfree() to release memory
allocated for secmark structures and their labels. However, if a failure
occurs after partially parsing secmark, sensitive data may remain in
memory, posing a security risk.
To mitigate this, replace kfree() with kfree_sensitive() for freeing
secmark structures and their labels, aligning with the approach used
in free_ruleset().
I am submitting this as an RFC to seek freedback on whether this change
is appropriate and aligns with the subsystem's expectations. If
confirmed to be helpful, I will send a formal patch.
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
---
security/apparmor/policy_unpack.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 992b74c50..610e09c76 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -598,8 +598,8 @@ static bool unpack_secmark(struct aa_ext *e, struct aa_ruleset *rules)
fail:
if (rules->secmark) {
for (i = 0; i < size; i++)
- kfree(rules->secmark[i].label);
- kfree(rules->secmark);
+ kfree_sensitive(rules->secmark[i].label);
+ kfree_sensitive(rules->secmark);
rules->secmark_count = 0;
rules->secmark = NULL;
}
--
2.34.1On 4/17/25 21:52, Zilin Guan wrote:
> The unpack_secmark() function currently uses kfree() to release memory
> allocated for secmark structures and their labels. However, if a failure
> occurs after partially parsing secmark, sensitive data may remain in
> memory, posing a security risk.
>
> To mitigate this, replace kfree() with kfree_sensitive() for freeing
> secmark structures and their labels, aligning with the approach used
> in free_ruleset().
>
> I am submitting this as an RFC to seek freedback on whether this change
> is appropriate and aligns with the subsystem's expectations. If
> confirmed to be helpful, I will send a formal patch.
>
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
sorry I am super behind on the backlog, I will get this in to my tree today
Acked-by: John Johansen <john.johansen@canonical.com>
> ---
> security/apparmor/policy_unpack.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
> index 992b74c50..610e09c76 100644
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -598,8 +598,8 @@ static bool unpack_secmark(struct aa_ext *e, struct aa_ruleset *rules)
> fail:
> if (rules->secmark) {
> for (i = 0; i < size; i++)
> - kfree(rules->secmark[i].label);
> - kfree(rules->secmark);
> + kfree_sensitive(rules->secmark[i].label);
> + kfree_sensitive(rules->secmark);
> rules->secmark_count = 0;
> rules->secmark = NULL;
> }
On Fri, Apr 18, 2025 at 04:52:50AM+0000, Zilin Guan wrote: > To mitigate this, replace kfree() with kfree_sensitive() for freeing > secmark structures and their labels, aligning with the approach used > in free_ruleset(). To clarify, we propose using kfree_sensitive() for secmark structures and their labels because they are already freed with kfree_sensitive() in another error path, specifically in aa_free_profile() -> free_ruleset(). This change aligns both cleanup pathways, whether aborting early in unpack_secmark() or cleaning up later via aa_free_profile() -> free_ruleset(). It ensures that all secmark-related allocations are scrubbed before deallocation, mitigating any potential security risks. Best Regards, Zilin Guan
© 2016 - 2025 Red Hat, Inc.