From patchwork Thu Apr 7 18:12:06 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 90219 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id F05631007DB for ; Fri, 8 Apr 2011 04:12:28 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Q7tgm-0003ia-RX; Thu, 07 Apr 2011 18:12:16 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Q7tgl-0003iU-Jt for kernel-team@lists.ubuntu.com; Thu, 07 Apr 2011 18:12:15 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1Q7tgl-0006lk-Hw for ; Thu, 07 Apr 2011 18:12:15 +0000 Received: from static-50-53-37-130.bvtn.or.frontiernet.net ([50.53.37.130] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1Q7tgl-0000sb-6b for kernel-team@lists.ubuntu.com; Thu, 07 Apr 2011 18:12:15 +0000 From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH] UBUNTU: AppArmor: Fix masking of capabilities in complain mode Date: Thu, 7 Apr 2011 11:12:06 -0700 Message-Id: <1302199926-3266-2-git-send-email-john.johansen@canonical.com> X-Mailer: git-send-email 1.7.4.1 In-Reply-To: <1302199926-3266-1-git-send-email-john.johansen@canonical.com> References: <1302199926-3266-1-git-send-email-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com BugLink: http://bugs.launchpad.net/bugs/748656 AppArmor is masking the capabilities returned by capget against the capabilities mask in the profile. This is wrong, in complain mode the profile has effectively all capabilities, as the profile restrictions are not being enforced, merely tested against to determine is an access is known by the profile. This can result in the wrong behavior of security conscience applications like sshd which examine their capability set, and change their behavior accordingly. In this case because of the masked capability set being returned sshd fails due to DAC checks, even when the profile is complain mode. Signed-off-by: John Johansen --- security/apparmor/lsm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index fa778a76..8be2cf3 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -127,7 +127,7 @@ static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, *inheritable = cred->cap_inheritable; *permitted = cred->cap_permitted; - if (!unconfined(profile)) { + if (!unconfined(profile) && !COMPLAIN_MODE(profile)) { *effective = cap_intersect(*effective, profile->caps.allow); *permitted = cap_intersect(*permitted, profile->caps.allow); }