[apparmor] [PATCH] update dnsmasq for read access to /proc/sys/kernel/cap_last_cap

Seth Arnold seth.arnold at canonical.com
Wed Oct 8 20:02:29 UTC 2014 

On Wed, Oct 08, 2014 at 02:40:11PM -0500, Jamie Strandboge wrote:
> On 10/08/2014 02:04 PM, Seth Arnold wrote:
> > On Wed, Oct 08, 2014 at 01:24:50PM -0500, Jamie Strandboge wrote:
> >>
> >> -- 
> >> Jamie Strandboge                 http://www.ubuntu.com/
> > 
> >> Description: update dnsmasq for read access to /proc/sys/kernel/cap_last_cap
> >> Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1378977
> >>
> >> Acked-By: Jamie Strandboge <jamie at canonical.com>
> > 
> > This has the feeling of something that's unlikely to be spceial to
> > dnsmasq; it'd be lovely to know which API it's using that does this so we
> > can better figure an abstraction to put it with. (base comes to mind, but
> > perhaps that's just further abuse of poor old base.)
> > 
> I don't know what started using it. I didn't see any other policy requiring it
> so I filed it against dnsmasq. That said, I found:
> http://lkml.iu.edu/hypermail/linux/kernel/1110.1/02980.html
> 
> "Userspace needs to know the highest valid capability of the running
> kernel, which right now cannot reliably be retrieved from the header
> files only. The fact that this value cannot be determined properly
> right now creates various problems for libraries compiled on newer
> header files which are run on older kernels. They assume
> capabilities are available which actually aren't.
> 
> Now the capability is exported in /proc/sys/kernel/cap_last_cap."
> 
> I don't think we need to investigate further, this seems appropriate for the
> base abstraction. Attached is a new patch to do that.
> 
> 
> 
> -- 
> Jamie Strandboge                 http://www.ubuntu.com/

> Description: update base abstraction read access to
>  /proc/sys/kernel/cap_last_cap. This is needed to determine the highest valid
>  capability of the running kernel. Reference:
>  https://lkml.org/lkml/2011/10/15/42
> Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1378977
> 
> Acked-By: Jamie Strandboge <jamie at canonical.com>
> 

Yeah, seems good to me.

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> === modified file 'profiles/apparmor.d/abstractions/base'
> --- profiles/apparmor.d/abstractions/base	2014-09-05 18:08:55 +0000
> +++ profiles/apparmor.d/abstractions/base	2014-10-08 19:38:06 +0000
> @@ -103,6 +103,9 @@
>    # glibc malloc (man 5 proc)
>    @{PROC}/sys/vm/overcommit_memory r,
>  
> +  # Allow determining the highest valid capability of the running kernel
> +  @{PROC}/sys/kernel/cap_last_cap r,
> +
>    # Allow other processes to read our /proc entries, futexes, perf tracing and
>    # kcmp for now (they will need 'read' in the first place). Administrators can
>    # override with:
> 




> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141008/7caa78cb/attachment.pgp>

More information about the AppArmor mailing list