Bug#676515: linux-2.6: AppArmor totally broken

To: intrigeri <intrigeri@boum.org>
Cc: 676515@bugs.debian.org, Ben Hutchings <ben@decadent.org.uk>, Kees Cook <kees@debian.org>, Micah Anderson <micah@riseup.net>
Subject: Bug#676515: linux-2.6: AppArmor totally broken
From: John Johansen <john.johansen@canonical.com>
Date: Sat, 23 Jun 2012 13:39:19 -0700
Message-id: <[🔎] 4FE62977.7070608@canonical.com>
Reply-to: John Johansen <john.johansen@canonical.com>, 676515@bugs.debian.org
In-reply-to: <[🔎] 85hau1dflt.fsf@boum.org>
References: <[🔎] 85fwa7z1lt.fsf@boum.org> <[🔎] 1339079681.21665.91.camel@deadeye.wl.decadent.org.uk> <[🔎] 4FD0DAB0.5070902@canonical.com> <[🔎] 85aa04qpim.fsf@boum.org> <[🔎] 1339805335.4942.126.camel@deadeye.wl.decadent.org.uk> <[🔎] 4FDE2B24.5070907@canonical.com> <[🔎] 85hau1dflt.fsf@boum.org>

On 06/23/2012 11:53 AM, intrigeri wrote:
> Hi John,
> 
> John Johansen wrote (17 Jun 2012 19:08:20 GMT) :
>> On 06/15/2012 05:08 PM, Ben Hutchings wrote:
>>>>
>>>>>> If we don't want to restrict sockets used by the kernel, don't we need
>>>>>> to store the kern flag for later use by aa_revalidate_sk()?
>>>>>>
>>>>> For how apparmor is generally deployed it can get away with this, the
>>>>> kernel bits generally bail out earlier on the check for unconfined.
>>>>
>>>>> That is not to say it isn't a good idea, or that it shouldn't be done.
>>>>> The fact is this patch is going to be replaced with completely rewritten
>>>>> controls, that do store info on the socket, it just hasn't happened yet
>>>>> due to resources and priorities (not my priorities).
>>>>
>>>> Ben, is this a blocker?
>>>
>>> I want to be convinced that this is not a bug, or else get a fix for it.
>>>
>> I am looking at the kernel bits here, but I don't have a patch yet
> 
> Do you think you'll manage to do it in time for the Wheezy freeze
> (June 30th)?
> 
Yes for the don't mediate kernel sockets tagging, and the quiet masking.

The check if in interrupt context I am not comfortable removing yet and it
will have to wait for the full new networking patches.

>>>>>> Since denied has already been masked with ~quiet_mask, this condition
>>>>>> can never be true.
>>>>>>
>>>>> indeed
>>>>
>>>> Ben, is this a blocker?
>>> [...]
>>>
>>> This clearly is a bug and I want to be convinced that it is harmless or
>>> else get a fix for it.
>>>
>> Right this breaks the controls over quieting of denial messages. Basically
>> if policy specifies a reject should not be logged then the global controls
>> that turn quieting off so that all rejects get logged aren't working for
>> networking.
> 
>> This is an easy patch that I can provide separately or with the
>> patch I am working on for the larger issue.
> 
> Do you think you'll manage to prepare at least the easy fix it in time
> for the Wheezy freeze?
> 
Yes I should have something for you by the end of the weekend if not sooner

Reply to:

References:
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: intrigeri@debian.org
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: John Johansen <john.johansen@canonical.com>
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: intrigeri <intrigeri@boum.org>
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: John Johansen <john.johansen@canonical.com>
- Bug#676515: linux-2.6: AppArmor totally broken
  - From: intrigeri <intrigeri@boum.org>

Prev by Date: Bug#678696: Event based block device handling (fixes USB and nested devices problem)
Next by Date: Bug#676515: linux-2.6: AppArmor totally broken
Previous by thread: Bug#676515: linux-2.6: AppArmor totally broken
Next by thread: Bug#676515: linux-2.6: AppArmor totally broken
Index(es):
- Date
- Thread