kernel-packages team mailing list archive

Thread
Date

[Bug 1560583] Re: reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Thu, 24 Mar 2016 18:32:08 -0000
Reply-to: Bug 1560583 <1560583@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is not an issue. It is working as designed and is necessary to open
up the file for the stacking work.

This patch should be reverted immediately as it opens up a policy
introspection hole.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1560583

Title:
  reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  $ cat ./t
  #include <tunables/global>

  profile t {
     #include <abstractions/base>
     /bin/cat ixr,
     /sys/kernel/security/apparmor/profiles r,
  }

  $ sudo apparmor_parser -r ./t
  $ sudo aa-exec -p t -- cat /sys/kernel/security/apparmor/profiles 
  cat: /sys/kernel/security/apparmor/profiles: Permission denied
  [1]

  kernel: [   62.203035] audit: type=1400 audit(1458665428.726:128):
  apparmor="DENIED" operation="capable" profile="t" pid=3683 comm="cat"
  capability=33  capname="mac_admin"

  This is new in the -15 kernel.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1560583/+subscriptions

References

[Bug 1560583] [NEW] reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
From: Jamie Strandboge, 2016-03-22