kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #169189
[Bug 1560583] Re: reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
I spoke with John in IRC. While he still doesn't like the two patches
that were written to fix this bug, he understands the reasoning.
They're needed for 16.04 so do not revert them.
In a future release, we'll do a more complete lock down of the
apparmorfs profiles file and apparmorfs profile directory to satisfy the
goal that John has.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1560583
Title:
reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Xenial:
Fix Committed
Bug description:
$ cat ./t
#include <tunables/global>
profile t {
#include <abstractions/base>
/bin/cat ixr,
/sys/kernel/security/apparmor/profiles r,
}
$ sudo apparmor_parser -r ./t
$ sudo aa-exec -p t -- cat /sys/kernel/security/apparmor/profiles
cat: /sys/kernel/security/apparmor/profiles: Permission denied
[1]
kernel: [ 62.203035] audit: type=1400 audit(1458665428.726:128):
apparmor="DENIED" operation="capable" profile="t" pid=3683 comm="cat"
capability=33 capname="mac_admin"
This is new in the -15 kernel.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1560583/+subscriptions
References