Bug#676515: linux-2.6: AppArmor totally broken
Hi John,
John Johansen wrote (17 Jun 2012 19:08:20 GMT) :
> On 06/15/2012 05:08 PM, Ben Hutchings wrote:
>>>
>>>>> If we don't want to restrict sockets used by the kernel, don't we need
>>>>> to store the kern flag for later use by aa_revalidate_sk()?
>>>>>
>>>> For how apparmor is generally deployed it can get away with this, the
>>>> kernel bits generally bail out earlier on the check for unconfined.
>>>
>>>> That is not to say it isn't a good idea, or that it shouldn't be done.
>>>> The fact is this patch is going to be replaced with completely rewritten
>>>> controls, that do store info on the socket, it just hasn't happened yet
>>>> due to resources and priorities (not my priorities).
>>>
>>> Ben, is this a blocker?
>>
>> I want to be convinced that this is not a bug, or else get a fix for it.
>>
> I am looking at the kernel bits here, but I don't have a patch yet
Do you think you'll manage to do it in time for the Wheezy freeze
(June 30th)?
>>>>> Since denied has already been masked with ~quiet_mask, this condition
>>>>> can never be true.
>>>>>
>>>> indeed
>>>
>>> Ben, is this a blocker?
>> [...]
>>
>> This clearly is a bug and I want to be convinced that it is harmless or
>> else get a fix for it.
>>
> Right this breaks the controls over quieting of denial messages. Basically
> if policy specifies a reject should not be logged then the global controls
> that turn quieting off so that all rejects get logged aren't working for
> networking.
> This is an easy patch that I can provide separately or with the
> patch I am working on for the larger issue.
Do you think you'll manage to prepare at least the easy fix it in time
for the Wheezy freeze?
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
Reply to: