[apparmor] [PATCH] Allow access to possible cpus for glibc-2.36
John Johansen
john.johansen at canonical.com
Tue Nov 15 05:50:31 UTC 2022
On 11/14/22 08:24, christian.ehrhardt at canonical.com wrote:
> From: Christian Ehrhardt <christian.ehrhardt at canonical.com>
>
> Glibc in 2.36 and later will [1] access sysfs at
> /sys/devices/system/cpu/possible when usig sysconf
> for _SC_NPROCESSORS_CONF.
>
> That will make a lot of different code, for example
> anything linked against libnuma, trigger this apparmor
> denial.
>
> apparmor="DENIED" operation="open" class="file" ...
> name="/sys/devices/system/cpu/possible" ...
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> 
> This entry seems rather safe, and it follows others
> that are already in place. Instead of fixing each
> software individually this should go into the base
> profile as well.
>
> Initially reported via
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073
>
> Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
thanks applied to master, 3.1, 3.0, 2.13, and 2.12
> ---
> profiles/apparmor.d/abstractions/base | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base
> index a03be4b07..81c50359e 100644
> --- a/profiles/apparmor.d/abstractions/base
> +++ b/profiles/apparmor.d/abstractions/base
> @@ -101,6 +101,7 @@
> @{PROC}/cpuinfo r,
> @{sys}/devices/system/cpu/ r,
> @{sys}/devices/system/cpu/online r,
> + @{sys}/devices/system/cpu/possible r,
>
> # glibc's *printf protections read the maps file
> @{PROC}/@{pid}/{maps,auxv,status} r,
More information about the AppArmor
mailing list