From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1568227280A; Mon, 13 Apr 2026 16:18:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776097088; cv=none; b=DMrDXRBhF0utaV1zhwHt59WH8T3uR57bnR1U9729iIzL6zdpfZcH21poNwnz59TO9rTBUZBMTymnSXN56V6fxugVvAgSKjIbc9wWhvYAzupu2PCW2wSTDJhKIEuFI2qCULrtc0ZZQvzejmf/JOjwb5P7lmY5fSOITQ/nQFoIZLI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776097088; c=relaxed/simple; bh=XIvN72lSmFHTayUxJ9aXVMO7vpsTaosKZhSjtDY4Mrg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gJkcQcdiCS1ROmBVb0EaPCVdu9N3CcMQ8JrYqAVjiEEd1AMFkyBa7pl4MzaZmqlTwF3Xrcq7YoSsI/wRXosA4MX2Z6eD7dtF6YKmS6tO5SFaw1boSnkzglzI9iSe1QVtJFSOTFUHVX1n2sER8qGlJrWUXy/PJB1t4mjJmqY1zuE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=0N0jz8n2; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="0N0jz8n2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9CF3AC2BCAF; Mon, 13 Apr 2026 16:18:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776097088; bh=XIvN72lSmFHTayUxJ9aXVMO7vpsTaosKZhSjtDY4Mrg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0N0jz8n26g+j0Ajkgj/NSHWCxL9c6tr9xxbqgPzdYgTCG8gGEAEnyGFRVb4doR35q 5Cwwqm3MhqZ5gEnn09bfJkvmlLyWNnvkIGcG4Bo/ylo4H0lBzW4ddxOT32c3mWC7zL nR373AfsSr9ClLOshcWRB6TzghdF3ZBiWhwUXLxY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Qualys Security Advisory , Ryan Lee , Cengiz Can , John Johansen Subject: [PATCH 6.1 15/55] apparmor: fix: limit the number of levels of policy namespaces Date: Mon, 13 Apr 2026 18:00:49 +0200 Message-ID: <20260413155725.396593179@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413155724.820472494@linuxfoundation.org> References: <20260413155724.820472494@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: John Johansen commit 306039414932c80f8420695a24d4fe10c84ccfb2 upstream. Currently the number of policy namespaces is not bounded relying on the user namespace limit. However policy namespaces aren't strictly tied to user namespaces and it is possible to create them and nest them arbitrarily deep which can be used to exhaust system resource. Hard cap policy namespaces to the same depth as user namespaces. Fixes: c88d4c7b049e8 ("AppArmor: core policy routines") Reported-by: Qualys Security Advisory Reviewed-by: Ryan Lee Reviewed-by: Cengiz Can Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman --- security/apparmor/include/policy_ns.h | 2 ++ security/apparmor/policy_ns.c | 2 ++ 2 files changed, 4 insertions(+) --- a/security/apparmor/include/policy_ns.h +++ b/security/apparmor/include/policy_ns.h @@ -18,6 +18,8 @@ #include "label.h" #include "policy.h" +/* Match max depth of user namespaces */ +#define MAX_NS_DEPTH 32 /* struct aa_ns_acct - accounting of profiles in namespace * @max_size: maximum space allowed for all profiles in namespace --- a/security/apparmor/policy_ns.c +++ b/security/apparmor/policy_ns.c @@ -262,6 +262,8 @@ static struct aa_ns *__aa_create_ns(stru AA_BUG(!name); AA_BUG(!mutex_is_locked(&parent->lock)); + if (parent->level > MAX_NS_DEPTH) + return ERR_PTR(-ENOSPC); ns = alloc_ns(parent->base.hname, name); if (!ns) return ERR_PTR(-ENOMEM);