[PATCH 2/2] UBUNTU: SAUCE: AppArmor: allow newer tools to loadpolicyon older kernels
John Johansen
john.johansen at canonical.com
Tue Sep 21 16:29:30 UTC 2010
On 09/21/2010 07:13 AM, Tetsuo Handa wrote:
> Tim Gardner wrote:
>> So, whats the impact? Does this mean that we're dropping all AA rules?
>
> At first, I thought the impact of this error is
>
> When a profile with address family which currently running kernel does not
> know is loaded, loading the profile will succeed but all networking
> permissions are discarded. Therefore, currently running kernel will reject
> all socket operations (e.g. socket(), bind(), sendmsg()) for all families
> (except AF_UNIX and AF_NETLINK) with -EACCES unless the process is
> unconfined. This means that networking applications (e.g. firefox, cupsd,
> dhclient) which will be confined by profiles won't work properly.
>
> But after reading security/apparmor/net.c , it changed to:
>
> No impact at all because Maverick kernel does not provide networking
> mediation functionality.
>
> What? Excuse me, John. I assumed that networking mediation functionality is
> included into Maverick kernel. But according to
> http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-maverick.git;a=blob;f=security/apparmor/net.c;hb=HEAD
> (as of "ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()"),
> I can't find a line that stores error code to sa.aad.error within audit_net().
> This means that sa.aad.error is always 0 and therefore aa_net_perm() will
> always return 0 (rather than -EACCESS) no matter how "net_allowed_af" is
> specified.
>
> I hope I'm missing something...
Unfortunately, no. The error is being set but dropped in the audit fn, it
seems I broke it during the auditing update, and that the regression test
suite for networking is broken. I'll get the SRU patch out immediately.
More information about the kernel-team
mailing list