[apparmor] [patch] can ?not fix
Seth Arnold
seth.arnold at canonical.com
Thu Dec 5 23:04:41 UTC 2013
On Thu, Dec 05, 2013 at 10:50:56PM +0100, Christian Boltz wrote:
> as discussed on #apparmor yesterday, here's the most important patch
> we've ever seen ;-)
>
> References: https://bugzilla.novell.com/show_bug.cgi?id=853661
>
>
> === modified file 'parser/apparmor.pod'
> --- parser/apparmor.pod 2010-12-20 20:29:10 +0000
> +++ parser/apparmor.pod 2013-12-05 21:39:47 +0000
> @@ -92,7 +92,7 @@
> iopl(2) mount(2) umount(2) ptrace(2) reboot(2) setdomainname(2)
> sethostname(2) swapoff(2) swapon(2) sysctl(2)
>
> -A confined process can not call mknod(2) to create character or block devices.
> +A confined process cannot call mknod(2) to create character or block devices.
>
> =head1 ERRORS
Ha! The best part about this is that the entire section needs to be
re-written, as it is several years out of date:
$ cat /etc/apparmor.d/tmp.bash
# Last Modified: Thu Dec 5 14:58:36 2013
#include <tunables/global>
/tmp/bash {
#include <abstractions/base>
capability mknod,
/tmp/bash mr,
/tmp/char w,
/tmp/block w,
/usr/bin/id ix,
/bin/mknod ix,
}
$ sudo apparmor_parser --replace /etc/apparmor.d/tmp.bash
$ sudo /tmp/bash
bash: /etc/bash.bashrc: Permission denied
bash: /home/sarnold/.bashrc: Permission denied
bash-4.2# id
uid=0 gid=0 groups=0
bash-4.2# mknod /tmp/char c 1 9
bash-4.2# mknod /tmp/block b 7 0
bash-4.2# exit
$ ls -l /tmp/char /tmp/block
brw-r--r-- 1 root root 7, 0 Dec 5 15:01 /tmp/block
crw-r--r-- 1 root root 1, 9 Dec 5 15:01 /tmp/char
So, while the patch itself looks good, there's bigger problems that need
to be fixed. :)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131205/cf85ee26/attachment.pgp>
More information about the AppArmor
mailing list