[apparmor] [PATCH] update dnsmasq for read access to /proc/sys/kernel/cap_last_cap
Seth Arnold
seth.arnold at canonical.com
Wed Oct 8 20:02:29 UTC 2014
On Wed, Oct 08, 2014 at 02:40:11PM -0500, Jamie Strandboge wrote:
> On 10/08/2014 02:04 PM, Seth Arnold wrote:
> > On Wed, Oct 08, 2014 at 01:24:50PM -0500, Jamie Strandboge wrote:
> >>
> >> --
> >> Jamie Strandboge http://www.ubuntu.com/
> >
> >> Description: update dnsmasq for read access to /proc/sys/kernel/cap_last_cap
> >> Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1378977
> >>
> >> Acked-By: Jamie Strandboge <jamie at canonical.com>
> >
> > This has the feeling of something that's unlikely to be spceial to
> > dnsmasq; it'd be lovely to know which API it's using that does this so we
> > can better figure an abstraction to put it with. (base comes to mind, but
> > perhaps that's just further abuse of poor old base.)
> >
> I don't know what started using it. I didn't see any other policy requiring it
> so I filed it against dnsmasq. That said, I found:
> http://lkml.iu.edu/hypermail/linux/kernel/1110.1/02980.html
>
> "Userspace needs to know the highest valid capability of the running
> kernel, which right now cannot reliably be retrieved from the header
> files only. The fact that this value cannot be determined properly
> right now creates various problems for libraries compiled on newer
> header files which are run on older kernels. They assume
> capabilities are available which actually aren't.
>
> Now the capability is exported in /proc/sys/kernel/cap_last_cap."
>
> I don't think we need to investigate further, this seems appropriate for the
> base abstraction. Attached is a new patch to do that.
>
>
>
> --
> Jamie Strandboge http://www.ubuntu.com/
> Description: update base abstraction read access to
> /proc/sys/kernel/cap_last_cap. This is needed to determine the highest valid
> capability of the running kernel. Reference:
> https://lkml.org/lkml/2011/10/15/42
> Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1378977
>
> Acked-By: Jamie Strandboge <jamie at canonical.com>
>
Yeah, seems good to me.
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
> === modified file 'profiles/apparmor.d/abstractions/base'
> --- profiles/apparmor.d/abstractions/base 2014-09-05 18:08:55 +0000
> +++ profiles/apparmor.d/abstractions/base 2014-10-08 19:38:06 +0000
> @@ -103,6 +103,9 @@
> # glibc malloc (man 5 proc)
> @{PROC}/sys/vm/overcommit_memory r,
>
> + # Allow determining the highest valid capability of the running kernel
> + @{PROC}/sys/kernel/cap_last_cap r,
> +
> # Allow other processes to read our /proc entries, futexes, perf tracing and
> # kcmp for now (they will need 'read' in the first place). Administrators can
> # override with:
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141008/7caa78cb/attachment.pgp>
More information about the AppArmor
mailing list