[PATCH 2/2] UBUNTU: SAUCE: AppArmor: allow newer tools to loadpolicyon older kernels
Tetsuo Handa
from-ubuntu at I-love.SAKURA.ne.jp
Tue Sep 21 14:13:03 UTC 2010
Tim Gardner wrote:
> So, whats the impact? Does this mean that we're dropping all AA rules?
At first, I thought the impact of this error is
When a profile with address family which currently running kernel does not
know is loaded, loading the profile will succeed but all networking
permissions are discarded. Therefore, currently running kernel will reject
all socket operations (e.g. socket(), bind(), sendmsg()) for all families
(except AF_UNIX and AF_NETLINK) with -EACCES unless the process is
unconfined. This means that networking applications (e.g. firefox, cupsd,
dhclient) which will be confined by profiles won't work properly.
But after reading security/apparmor/net.c , it changed to:
No impact at all because Maverick kernel does not provide networking
mediation functionality.
What? Excuse me, John. I assumed that networking mediation functionality is
included into Maverick kernel. But according to
http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-maverick.git;a=blob;f=security/apparmor/net.c;hb=HEAD
(as of "ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()"),
I can't find a line that stores error code to sa.aad.error within audit_net().
This means that sa.aad.error is always 0 and therefore aa_net_perm() will
always return 0 (rather than -EACCESS) no matter how "net_allowed_af" is
specified.
I hope I'm missing something...
More information about the kernel-team
mailing list