[Artful] UBUNTU: SAUCE: apparmor: fix apparmorfs DAC access, permissions

Message ID 7ed2de01-4873-f3cb-7c5b-15a63097d1ed@canonical.com
State New
Headers show
Series
  • [Artful] UBUNTU: SAUCE: apparmor: fix apparmorfs DAC access, permissions
Related show

Commit Message

John Johansen Aug. 31, 2017, 5:05 p.m.
The DAC access permissions for several apparmorfs files are wrong.

.access - needs to be writable by all tasks to perform queries
the others in the set only provide a read fn so should be read only.

With policy namespace virtualization all apparmor needs to control
the permission and visibility checks directly which means DAC
access has to be allowed for all user, group, and other.

BugLink: http://bugs.launchpad.net/bugs/1713103
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/apparmorfs.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Seth Forshee Aug. 31, 2017, 5:13 p.m. | #1
On Thu, Aug 31, 2017 at 10:05:41AM -0700, John Johansen wrote:
> The DAC access permissions for several apparmorfs files are wrong.
> 
> .access - needs to be writable by all tasks to perform queries
> the others in the set only provide a read fn so should be read only.
> 
> With policy namespace virtualization all apparmor needs to control
> the permission and visibility checks directly which means DAC
> access has to be allowed for all user, group, and other.
> 
> BugLink: http://bugs.launchpad.net/bugs/1713103
> Signed-off-by: John Johansen <john.johansen@canonical.com>

Applied to unstable/master, thanks!

Patch

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 20cdb1c4b266..63a8a462fc96 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -2221,12 +2221,12 @@  static struct aa_sfs_entry aa_sfs_entry_features[] = {
 };
 
 static struct aa_sfs_entry aa_sfs_entry_apparmor[] = {
-	AA_SFS_FILE_FOPS(".access", 0640, &aa_sfs_access),
+	AA_SFS_FILE_FOPS(".access", 0666, &aa_sfs_access),
 	AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops),
 	AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops),
-	AA_SFS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops),
-	AA_SFS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops),
-	AA_SFS_FILE_FOPS("profiles", 0440, &aa_sfs_profiles_fops),
+	AA_SFS_FILE_FOPS(".ns_level", 0444, &seq_ns_level_fops),
+	AA_SFS_FILE_FOPS(".ns_name", 0444, &seq_ns_name_fops),
+	AA_SFS_FILE_FOPS("profiles", 0444, &aa_sfs_profiles_fops),
 	AA_SFS_DIR("features", aa_sfs_entry_features),
 	{ }
 };