From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49D0B2C032C; Thu, 12 Mar 2026 20:04:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773345887; cv=none; b=Y/R5Xsvrd1q2HmMNgjTjZQ4MOwNSFAHRhsV1NxRFOXdcmllHYzdN3HeBbOGCmG48gt11UMyUU/BC0SK0Nz112Xi45rcAiFWnicpEJbu3wLhv9DgPou3JbIDgv+Nk9Q43e4Z8llYb9oaafjkiDp+GXo5+iLSJeZ9pDIZ/XhtVGbU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773345887; c=relaxed/simple; bh=h8MK9Yl51QXyzC4tjchZ9YChoj1WudpphWapbyPGKQc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TozAkIbeUBVkoGQXL83Gefbf5qwilKMxJuDuBrrw8Quyo0/GJb6svox4oP37xSdqnkI/Cr6LfOvQNs/NrIvQocH0s1X9RFV2E2dGW1ZZziKwZjN7rHZ0GvIKgyxCMaajrvdzgcS6sh9pPcNcK88gVQJbwFHvX2zOwuKbRh7tDaM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=cPaN8UDP; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="cPaN8UDP" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 694ABC4CEF7; Thu, 12 Mar 2026 20:04:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1773345886; bh=h8MK9Yl51QXyzC4tjchZ9YChoj1WudpphWapbyPGKQc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cPaN8UDPPckO5w6i3TfuYXThVVCFO9Hriz8ks7l8SYXElc+M8sAU3N5cQuaYfXycA queOlgOeB9zUUkHGkBXJRbLmgv8jtH8a7t7Ps/QM24VkOHDIvc1Uyb7h724rCS+X27 N5SFEpjELRpCukSn9UdGN12dFOwbEQJQ5zlQ8tiQ= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Qualys Security Advisory , Ryan Lee , Cengiz Can , John Johansen Subject: [PATCH 6.19 06/13] apparmor: fix: limit the number of levels of policy namespaces Date: Thu, 12 Mar 2026 21:03:38 +0100 Message-ID: <20260312200321.907367701@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260312200321.671986598@linuxfoundation.org> References: <20260312200321.671986598@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: John Johansen commit 306039414932c80f8420695a24d4fe10c84ccfb2 upstream. Currently the number of policy namespaces is not bounded relying on the user namespace limit. However policy namespaces aren't strictly tied to user namespaces and it is possible to create them and nest them arbitrarily deep which can be used to exhaust system resource. Hard cap policy namespaces to the same depth as user namespaces. Fixes: c88d4c7b049e8 ("AppArmor: core policy routines") Reported-by: Qualys Security Advisory Reviewed-by: Ryan Lee Reviewed-by: Cengiz Can Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman --- security/apparmor/include/policy_ns.h | 2 ++ security/apparmor/policy_ns.c | 2 ++ 2 files changed, 4 insertions(+) --- a/security/apparmor/include/policy_ns.h +++ b/security/apparmor/include/policy_ns.h @@ -18,6 +18,8 @@ #include "label.h" #include "policy.h" +/* Match max depth of user namespaces */ +#define MAX_NS_DEPTH 32 /* struct aa_ns_acct - accounting of profiles in namespace * @max_size: maximum space allowed for all profiles in namespace --- a/security/apparmor/policy_ns.c +++ b/security/apparmor/policy_ns.c @@ -223,6 +223,8 @@ static struct aa_ns *__aa_create_ns(stru AA_BUG(!name); AA_BUG(!mutex_is_locked(&parent->lock)); + if (parent->level > MAX_NS_DEPTH) + return ERR_PTR(-ENOSPC); ns = alloc_ns(parent->base.hname, name); if (!ns) return ERR_PTR(-ENOMEM);