From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5FD2A1A680C; Mon, 13 Apr 2026 16:40:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776098419; cv=none; b=WOg6wnKix9zo3Cow1av0FMQv02mGe3sTW2Ft33hlECcec6U4LyRRNv4h8BbPHEqGHV5vc/87ThMx6hZ6CudP1fuwKiNe6LbPTGrP2g7GYFFI3L+2RGa1HnjAnUp+2LzvXEFxvv4nUB3YpkLNqLdprDuGL9j8WKdyJweRLnDY+T4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776098419; c=relaxed/simple; bh=+cuzm4XRWxA7ArxhzJsph/8MZKs9/EXVlx3Mh9d0Qk0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=r10jISuYIwpMIujA+l40n/1kLyE6AP0/6yXnwGfwoPYy/nOMbX6RYr532l/iRVVgHxSWfbOjHtYI+W2JhIaU7GzJB1ru5u16axiFKgsZQk3hVIlRnuJLORqaKeiXVkpK4r4cOE+CYaBSTx/o0SAPdmGZ1ofZ53RDe/FyEFlpt64= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=tXt0nlkq; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="tXt0nlkq" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EB360C2BCB0; Mon, 13 Apr 2026 16:40:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776098419; bh=+cuzm4XRWxA7ArxhzJsph/8MZKs9/EXVlx3Mh9d0Qk0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tXt0nlkqnuQfWYVFaN57O9YwzDRhN6ielSTyP9shugPOlM6I95N+gjkPUb6bM2ulc np2K4UVUXgNehWRTgwyZcdbFJcPj//JP2wmcl68oyFwCkMs/VT7xahovxWgOVFRQt5 CVYK5osF3tjweI9AKMwmAiHKtdtrVAaXihqr9XMA= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Qualys Security Advisory , Ryan Lee , Cengiz Can , John Johansen Subject: [PATCH 5.15 518/570] apparmor: fix: limit the number of levels of policy namespaces Date: Mon, 13 Apr 2026 18:00:49 +0200 Message-ID: <20260413155849.852814254@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413155830.386096114@linuxfoundation.org> References: <20260413155830.386096114@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: John Johansen commit 306039414932c80f8420695a24d4fe10c84ccfb2 upstream. Currently the number of policy namespaces is not bounded relying on the user namespace limit. However policy namespaces aren't strictly tied to user namespaces and it is possible to create them and nest them arbitrarily deep which can be used to exhaust system resource. Hard cap policy namespaces to the same depth as user namespaces. Fixes: c88d4c7b049e8 ("AppArmor: core policy routines") Reported-by: Qualys Security Advisory Reviewed-by: Ryan Lee Reviewed-by: Cengiz Can Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman --- security/apparmor/include/policy_ns.h | 2 ++ security/apparmor/policy_ns.c | 2 ++ 2 files changed, 4 insertions(+) --- a/security/apparmor/include/policy_ns.h +++ b/security/apparmor/include/policy_ns.h @@ -18,6 +18,8 @@ #include "label.h" #include "policy.h" +/* Match max depth of user namespaces */ +#define MAX_NS_DEPTH 32 /* struct aa_ns_acct - accounting of profiles in namespace * @max_size: maximum space allowed for all profiles in namespace --- a/security/apparmor/policy_ns.c +++ b/security/apparmor/policy_ns.c @@ -249,6 +249,8 @@ static struct aa_ns *__aa_create_ns(stru AA_BUG(!name); AA_BUG(!mutex_is_locked(&parent->lock)); + if (parent->level > MAX_NS_DEPTH) + return ERR_PTR(-ENOSPC); ns = alloc_ns(parent->base.hname, name); if (!ns) return ERR_PTR(-ENOMEM);