kernel-packages team mailing list archive

Thread
Date

[Bug 1306781] Re: Kernel to userspace communication is needed to notify trusted helpers of profile changes

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Thu, 23 Oct 2014 23:46:27 -0000
Reply-to: Bug 1306781 <1306781@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: linux (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu)
       Status: New => Triaged

** Changed in: linux (Ubuntu)
   Importance: Undecided => Low

** Tags added: aa-kernel

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1306781

Title:
  Kernel to userspace communication is needed to notify trusted helpers
  of profile changes

Status in AppArmor Linux application security framework:
  Triaged
Status in “apparmor” package in Ubuntu:
  Triaged
Status in “dbus” package in Ubuntu:
  New
Status in “linux” package in Ubuntu:
  Triaged

Bug description:
  It is common for trusted helpers to cache information about a profile,
  such as the profile name and enforcement mode, when they're making
  AppArmor policy decisions. However, there's currently no way for the
  trusted helper to receive notification when changes are made to the
  profile.

  For example, dbus-daemon caches the profile name and enforcement mode
  when an application connects to the bus. If the profile is in enforce
  mode when the application connects but the system administrator moves
  the profile to complain mode, dbus-daemon does not find out about the
  change and continues to enforce the profile.

  The opposite is true, as well. If a profile is in complain mode when
  an application connects to the bus and is then moved to enforce mode,
  dbus-daemon continues to treat the profile as if it were in complain
  mode until the application reconnects to the bus.

  To solve this, there are two options that immediately come to mind:

    1. dbus-daemon checks with the kernel before every permission query.
  It would get the latest profile information and then decide what to do
  (query and enforce if the profile is in enforce mode, query and allow
  if in complain mode, don't query if unconfined). This results in an
  extra round trip per query and would hurt performance.

    2. The kernel could notify trusted helpers when profile changes are
  made, such as when an enforcement mode changes, a new profile is
  loaded, a profile is removed, a profile is renamed, etc. Userspace
  would need to be able to receive the notification and invalidate its
  cached information for that profile. This could become complicated in
  some trusted helper implementations.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1306781/+subscriptions