To clarify "necessary to open up". 1. the old behavior was wrong. It allowed introspection of policy in situation that it should not have. 2. In order to open up the profiles file so that more than the system root could introspect it, DAC restrictions needed to be removed and the permission checking of what is allowed needed to be moved fully into apparmor. Since there was not time for fine grained mediation in the first iteration, the tightest restriction with original intent was used.
That is that only the policy admin is allowed fully view of loaded policy. This can be opened up with further development but is the original intent of how policy introspection was supposed to work (hence #1 noting that implementation was flawed and wrong). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1560583 Title: reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Bug description: $ cat ./t #include <tunables/global> profile t { #include <abstractions/base> /bin/cat ixr, /sys/kernel/security/apparmor/profiles r, } $ sudo apparmor_parser -r ./t $ sudo aa-exec -p t -- cat /sys/kernel/security/apparmor/profiles cat: /sys/kernel/security/apparmor/profiles: Permission denied [1] kernel: [ 62.203035] audit: type=1400 audit(1458665428.726:128): apparmor="DENIED" operation="capable" profile="t" pid=3683 comm="cat" capability=33 capname="mac_admin" This is new in the -15 kernel. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1560583/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp