Add latest upstream apparmor patches

A bug has been found in Apparmor, resulting in dbus policies which aim to
deny specific dbus transactions failing to work. The latest series of
patches made available as part of the Ubuntu Apparmor support
(specifically "UBUNTU SAUCE: apparmor: fix apparmor mediating locking
non-fs, unix sockets") was found to resolve this bug.

Add the additional available Apparmor patches, available as part of the
"5.1-outoftree" branch at https://gitlab.com/apparmor/apparmor-kernel

.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

debian/patches/apparmor/0001-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch

+From 7b76d4db6e9ffd6734d5c25ab5f4982d97500cac Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Mon, 30 Jul 2018 13:55:30 -0700
+Subject: [PATCH 1/2] UBUNTU SAUCE: apparmor: fix apparmor mediating locking
+ non-fs, unix sockets
+
+The apparmor policy language current does not allow expressing of the
+locking permission for no-fs unix sockets. However the kernel is
+enforcing mediation.
+
+Add the AA_MAY_LOCK perm to the computed perm mask which will grant
+permission for all current abi profiles, but still allow specifying
+auditing of the operation if needed.
+
+BugLink: http://bugs.launchpad.net/bugs/1780227
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Acked-by: Stefan Bader <stefan.bader@canonical.com>
+Acked-by: Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
+---
+ security/apparmor/lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
+index 76491e7f4177..10858e2e1428 100644
+--- a/security/apparmor/lib.c
++++ b/security/apparmor/lib.c
+@@ -338,7 +338,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
+ 	/* for v5 perm mapping in the policydb, the other set is used
+ 	 * to extend the general perm set
+ 	 */
+-	perms->allow |= map_other(dfa_other_allow(dfa, state));
++	perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
+ 	perms->audit |= map_other(dfa_other_audit(dfa, state));
+ 	perms->quiet |= map_other(dfa_other_quiet(dfa, state));
+ //	perms->xindex = dfa_user_xindex(dfa, state);
+-- 
+2.20.1
+

debian/patches/apparmor/0002-UBUNTU-SAUCE-apparmor-userspace-queries.patch

+From caff62af6d80da6beb5b4b5618a8b3dde0a662c0 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Tue, 26 Jun 2018 08:07:54 -0700
+Subject: [PATCH 2/2] UBUNTU: SAUCE: apparmor: userspace queries
+
+The userspaced controlled query interface needs a safe version of the
+POLICY_MEDIATES query, otherwise userspace can cause an index out of
+bounds reference for trusted helper enforced policy.
+
+Fixes: b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
+---
+ security/apparmor/apparmorfs.c     |  2 +-
+ security/apparmor/include/policy.h | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index d302960562f0..732dfb5302d7 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -625,7 +625,7 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
+ 			tmp = aa_compute_fperms(dfa, state, &cond);
+ 		}
+ 	} else if (profile->policy.dfa) {
+-		if (!PROFILE_MEDIATES(profile, *match_str))
++		if (!PROFILE_MEDIATES_SAFE(profile, *match_str))
+ 			return;	/* no change to current perms */
+ 		dfa = profile->policy.dfa;
+ 		state = aa_dfa_match_len(dfa, profile->policy.start[0],
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index 405caee83b7f..c29b62f413c7 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -220,6 +220,16 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
+ }
+ 
+ #define PROFILE_MEDIATES(P, T)  ((P)->policy.start[(unsigned char) (T)])
++/* safe version of POLICY_MEDIATES for full range input */
++static inline unsigned int PROFILE_MEDIATES_SAFE(struct aa_profile *profile,
++						 unsigned char class)
++{
++	if (profile->policy.dfa)
++		return aa_dfa_match_len(profile->policy.dfa,
++					profile->policy.start[0], &class, 1);
++	return 0;
++}
++
+ static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
+ 					       u16 AF) {
+ 	unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
+-- 
+2.20.1
+

debian/patches/series

@@ -199,6 +199,8 @@ features/all/ena/0018-net-ena-update-driver-version-from-2.0.1-to-2.0.2.patch
 apparmor/0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch
 apparmor/0002-apparmor-af_unix-mediation.patch
 apparmor/0003-apparmor-fix-use-after-free-in-sk_peer_label.patch
+apparmor/0001-UBUNTU-SAUCE-apparmor-fix-apparmor-mediating-locking.patch
+apparmor/0002-UBUNTU-SAUCE-apparmor-userspace-queries.patch
 
 # RaspberryPi support
 rpi/ARM-dts-add-Raspberry-Pi-Compute-Module-3-and-IO-boa.patch