Patchwork UBUNTU: AppArmor: Fix masking of capabilities in complain mode

login
register
mail settings
Submitter John Johansen
Date April 7, 2011, 6:12 p.m.
Message ID <1302199926-3266-2-git-send-email-john.johansen@canonical.com>
Download mbox | patch
Permalink /patch/90219/
State New
Headers show

Comments

John Johansen - April 7, 2011, 6:12 p.m.
BugLink: http://bugs.launchpad.net/bugs/748656

AppArmor is masking the capabilities returned by capget against the
capabilities mask in the profile.  This is wrong, in complain mode the
profile has effectively all capabilities, as the profile restrictions are
not being enforced, merely tested against to determine is an access is
known by the profile.

This can result in the wrong behavior of security conscience applications
like sshd which examine their capability set, and change their behavior
accordingly.  In this case because of the masked capability set being
returned sshd fails due to DAC checks, even when the profile is complain
mode.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/lsm.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

Patch

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index fa778a76..8be2cf3 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -127,7 +127,7 @@  static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
 	*inheritable = cred->cap_inheritable;
 	*permitted = cred->cap_permitted;
 
-	if (!unconfined(profile)) {
+	if (!unconfined(profile) && !COMPLAIN_MODE(profile)) {
 		*effective = cap_intersect(*effective, profile->caps.allow);
 		*permitted = cap_intersect(*permitted, profile->caps.allow);
 	}