Bug#676515: linux-2.6: AppArmor totally broken

To: Ben Hutchings <ben@decadent.org.uk>
Cc: intrigeri <intrigeri@boum.org>, 676515@bugs.debian.org, Kees Cook <kees@debian.org>, Micah Anderson <micah@riseup.net>
Subject: Bug#676515: linux-2.6: AppArmor totally broken
From: John Johansen <john.johansen@canonical.com>
Date: Sun, 17 Jun 2012 12:08:20 -0700
Message-id: <[🔎] 4FDE2B24.5070907@canonical.com>
Reply-to: John Johansen <john.johansen@canonical.com>, 676515@bugs.debian.org
In-reply-to: <[🔎] 1339805335.4942.126.camel@deadeye.wl.decadent.org.uk>
References: <[🔎] 85fwa7z1lt.fsf@boum.org> <[🔎] 1339079681.21665.91.camel@deadeye.wl.decadent.org.uk> <[🔎] 4FD0DAB0.5070902@canonical.com> <[🔎] 85aa04qpim.fsf@boum.org> <[🔎] 1339805335.4942.126.camel@deadeye.wl.decadent.org.uk>

On 06/15/2012 05:08 PM, Ben Hutchings wrote:
> On Fri, 2012-06-15 at 22:38 +0200, intrigeri wrote:
>> Hi John, Ben and all other involved ones,
>>
>> I'd like to see this moving forward, since the Wheezy freeze is coming
>> soon. See bellow explicit questions.
> 
> Me too; thanks for the mail.
> 
>> John Johansen wrote (07 Jun 2012 16:45:36 GMT) :
>>> On 06/07/2012 07:34 AM, Ben Hutchings wrote:
>>
>>>> If we don't want to restrict sockets used by the kernel, don't we need
>>>> to store the kern flag for later use by aa_revalidate_sk()?
>>>>
>>> For how apparmor is generally deployed it can get away with this, the
>>> kernel bits generally bail out earlier on the check for unconfined.
>>
>>> That is not to say it isn't a good idea, or that it shouldn't be done.
>>> The fact is this patch is going to be replaced with completely rewritten
>>> controls, that do store info on the socket, it just hasn't happened yet
>>> due to resources and priorities (not my priorities).
>>
>> Ben, is this a blocker?
> 
> I want to be convinced that this is not a bug, or else get a fix for it.
> 
I am looking at the kernel bits here, but I don't have a patch yet

>>>> Since denied has already been masked with ~quiet_mask, this condition
>>>> can never be true.
>>>>
>>> indeed
>>
>> Ben, is this a blocker?
> [...]
> 
> This clearly is a bug and I want to be convinced that it is harmless or
> else get a fix for it.
> 
Right this breaks the controls over quieting of denial messages. Basically
if policy specifies a reject should not be logged then the global controls
that turn quieting off so that all rejects get logged aren't working for
networking.

This is an easy patch that I can provide separately or with the patch I
am working on for the larger issue.

I have also been looking into why the regression is happening, it actually
looks to be in the userspace caching of compiled policy. I can run the
same basic profile loads on ubuntu with a kernel that only has the single
interface patch applied and it works. So its just a matter of tracking
down which patches are needed now.

Reply to:

Follow-Ups:
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: intrigeri <intrigeri@boum.org>

References:
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: intrigeri@debian.org
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: John Johansen <john.johansen@canonical.com>
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: intrigeri <intrigeri@boum.org>
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Processed: Re: video: USB webcam fails since kernel 3.2
Next by Date: Bug#677472: [3.1.8-2 -> 3.2.20-1 regression] ohci_hcd module prevents PC from suspending
Previous by thread: Bug#676515: linux-2.6: AppArmor totally broken
Next by thread: Bug#676515: linux-2.6: AppArmor totally broken
Index(es):
- Date
- Thread