From patchwork Fri Mar 31 12:57:38 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 745626 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3vvhPs3nzGz9s03; Fri, 31 Mar 2017 23:58:25 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1ctw8E-0000mu-9r; Fri, 31 Mar 2017 12:58:22 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1ctw86-0000j7-8y for kernel-team@lists.ubuntu.com; Fri, 31 Mar 2017 12:58:14 +0000 Received: from static-50-53-32-2.bvtn.or.frontiernet.net ([50.53.32.2] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1ctw85-0006Af-Mh for kernel-team@lists.ubuntu.com; Fri, 31 Mar 2017 12:58:14 +0000 From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 05/11] UBUNTU: SAUCE: apparmor: Don't audit denied access of special apparmor .null file Date: Fri, 31 Mar 2017 05:57:38 -0700 Message-Id: <20170331125744.16986-6-john.johansen@canonical.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170331125744.16986-1-john.johansen@canonical.com> References: <20170331125744.16986-1-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com When an fd is disallowed from being inherited during exec, instead of closed it is duped to a special apparmor/.null file. This prevents the fd from being reused by another file in case the application expects the original file on a give fd (eg stdin/stdout etc). This results in a denial message like [32375.561535] audit: type=1400 audit(1478825963.441:358): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-t_" profile="/sbin/dhclient" name="/dev/pts/1" pid=16795 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=165536 Further access to the fd is resultin in the rather useless denial message of [32375.566820] audit: type=1400 audit(1478825963.445:359): apparmor="DENIED" operation="file_perm" namespace="root//lxd-t_" profile="/sbin/dhclient" name="/apparmor/.null" pid=16795 comm="dhclient" requested_mask="w" denied_mask="w" fsuid=165536 ouid=0 since we have the original denial, the noisy and useless .null based denials can be skipped. BugLink: http://bugs.launchpad.net/bugs/1660836 Signed-off-by: John Johansen Acked-by: Stefan Bader Acked-by: Tim Gardner Acked-by: Brad Figg Signed-off-by: Thadeu Lima de Souza Cascardo --- security/apparmor/lsm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 330437c..a93b701 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -443,6 +443,9 @@ static int common_file_perm(const char *op, struct file *file, u32 mask) struct aa_label *label; int error = 0; + if (file->f_path.dentry == aa_null.dentry) + return -EACCES; + label = aa_begin_current_label(NO_UPDATE); error = aa_file_perm(op, label, file, mask); aa_end_current_label(label);