[PATCH 2/2] UBUNTU: SAUCE: AppArmor: allow newer tools to load policyon older kernels
John Johansen
john.johansen at canonical.com
Tue Sep 21 16:13:18 UTC 2010
On 09/21/2010 04:31 AM, Tim Gardner wrote:
> On 09/21/2010 04:32 PM, John Johansen wrote:
>> On 09/17/2010 04:54 PM, Tetsuo Handa wrote:
>>> John Johansen wrote:
>>>> for (i = 0; i< size; i++) {
>>>> + /* discard extraneous rules that this kernel will
>>>> + * never request
>>>> + */
>>>> + if (size> AF_MAX) {
>>>
>>> Do you want to discard all rules rather than extraneous rules?
>>> I think this should be (i>= AF_MAX) rather than (size> AF_MAX).
>>>
>>>> + u16 tmp;
>>>> + if (!unpack_u16(e,&tmp, NULL) ||
>>>> + !unpack_u16(e,&tmp, NULL) ||
>>>> + !unpack_u16(e,&tmp, NULL))
>>>> + goto fail;
>>>> + continue;
>>>> + }
>>>> if (!unpack_u16(e,&profile->net.allow[i], NULL))
>>>> goto fail;
>>>> if (!unpack_u16(e,&profile->net.audit[i], NULL))
>>
>> sigh, yes. I can't believe I did that :(
>>
>> thanks Tetsuo
>>
>
> So, whats the impact? Does this mean that we're dropping all AA rules?
>
No. It means we will drop network rules if the tools are built against
a newer kernel tree that has added a new address family. Against the
current tools everything works.
To load policy the user has to be an unconfined root, at which point
they can load modules and do other nasties so there isn't a potential
escalation out of this. It should just potentially affect machines on
upgrade.
So we need to SRU a patch for this but it is not release critical, but I have the patch and after I take a second look at it to make sure it is right this time. I will kick it out this morning.
More information about the kernel-team
mailing list