[apparmor] [PATCH] apparmor: hide aa_unprivileged_uring_restricted from userspace when io_uring is disabled
John Johansen
john.johansen at canonical.com
Sat Nov 9 19:59:35 UTC 2024
On 9/13/24 16:03, Ryan Lee wrote:
> The variable aa_unprivileged_uring_restricted is still exposed to
> userspace even when CONFIG_IO_URING is disabled and the variable would
> do nothing. This patch hides both the apparmorfs entry and the sysctl
> when CONFIG_IO_URING is disabled.
>
> Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
Not exactly nothing. This would have the userspace build policy that
supports io_uring. The kernel won't enforce it but, it could shared
by a kernel that does support io_uring.
Really it comes down to how much you want to share policy between kernels
to reduce storage vs. letting userspace optimize away or warn on policy
that is not supported by the kernel. In practice unless you are using
variants of configs for the same kernel version apparmor is most likely
rebuilding policy for that kernel anyways so its probably better to
hide these and to indicate they won't be enforced by the apparmor
for this kernel.
Acked-by: John Johansen <john.johansen at canonical.com>
I have pulled this into my tree
> ---
> security/apparmor/apparmorfs.c | 2 ++
> security/apparmor/lsm.c | 2 ++
> 2 files changed, 4 insertions(+)
>
> diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
> index be6c3293c9e0..d1ea78c9122f 100644
> --- a/security/apparmor/apparmorfs.c
> +++ b/security/apparmor/apparmorfs.c
> @@ -2587,8 +2587,10 @@ static struct aa_sfs_entry aa_sfs_entry_domain[] = {
> static struct aa_sfs_entry aa_sfs_entry_unconfined[] = {
> AA_SFS_FILE_BOOLEAN("change_profile", 1),
> AA_SFS_FILE_INTPTR("userns", aa_unprivileged_userns_restricted),
> +#ifdef CONFIG_IO_URING
> AA_SFS_FILE_INTPTR("io_uring",
> aa_unprivileged_uring_restricted),
> +#endif
> { }
> };
>
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index 9b086451f6e3..245207b005e7 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -2462,6 +2462,7 @@ static struct ctl_table apparmor_sysctl_table[] = {
> .mode = 0644,
> .proc_handler = userns_restrict_dointvec,
> },
> +#ifdef CONFIG_IO_URING
> {
> .procname = "apparmor_restrict_unprivileged_io_uring",
> .data = &aa_unprivileged_uring_restricted,
> @@ -2469,6 +2470,7 @@ static struct ctl_table apparmor_sysctl_table[] = {
> .mode = 0600,
> .proc_handler = apparmor_dointvec,
> },
> +#endif
> { }
> };
>
More information about the AppArmor
mailing list