Bug#676515: linux-2.6: AppArmor totally broken
Hi John,
On Tue, Jun 26, 2012 at 10:48:38AM -0700, John Johansen wrote:
> On 06/23/2012 11:53 AM, intrigeri wrote:
> > John Johansen wrote (17 Jun 2012 19:08:20 GMT) :
> >> On 06/15/2012 05:08 PM, Ben Hutchings wrote:
> >>>>
> >>>>>> If we don't want to restrict sockets used by the kernel, don't we need
> >>>>>> to store the kern flag for later use by aa_revalidate_sk()?
> >>>>>>
> >>>>> For how apparmor is generally deployed it can get away with this, the
> >>>>> kernel bits generally bail out earlier on the check for unconfined.
> >>>>
> >>>>> That is not to say it isn't a good idea, or that it shouldn't be done.
> >>>>> The fact is this patch is going to be replaced with completely rewritten
> >>>>> controls, that do store info on the socket, it just hasn't happened yet
> >>>>> due to resources and priorities (not my priorities).
> >>>>
> >>>> Ben, is this a blocker?
> >>>
> >>> I want to be convinced that this is not a bug, or else get a fix for it.
> >>>
> >> I am looking at the kernel bits here, but I don't have a patch yet
> >
> > Do you think you'll manage to do it in time for the Wheezy freeze
> > (June 30th)?
> >
> >>>>>> Since denied has already been masked with ~quiet_mask, this condition
> >>>>>> can never be true.
> >>>>>>
> >>>>> indeed
> >>>>
> >>>> Ben, is this a blocker?
> >>> [...]
> >>>
> >>> This clearly is a bug and I want to be convinced that it is harmless or
> >>> else get a fix for it.
> >>>
> >> Right this breaks the controls over quieting of denial messages. Basically
> >> if policy specifies a reject should not be logged then the global controls
> >> that turn quieting off so that all rejects get logged aren't working for
> >> networking.
> >
> >> This is an easy patch that I can provide separately or with the
> >> patch I am working on for the larger issue.
> >
> > Do you think you'll manage to prepare at least the easy fix it in time
> > for the Wheezy freeze?
> >
>
> Okay, there are 4 kernel patches, not all of them are needed depending on whether
> the network patch is applied or not.
>
> If you don't want to apply the networking patch
> 0001-apparmor-remove-advertising-the-support-of-network-r.patch
>
> Stops the kernel interface from incorrectly advertising that it supports network
> rules. A further patch (not attached) to userspace will also have to be applied
>
> If the networking patch is applied
> these two patches can be applied or ignored, 0001 will be folded into the compat
> interface patch upstream, and then 0002 will be folded into the networking patch
> 0001-apparmor-remove-advertising-the-support-of-network-r.patch
> 0002-apparmor-Advertise-network-mediation-from-the-compat.patch
>
> these two patches address the two bugs pointed out in the networking patch
> 0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch
> 0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch
My preference would be to apply the networking patch, along with 0003
and 0004 posted here.
-Kees
--
Kees Cook
Reply to: