[stable] Patch "AppArmor: Fix masking of capabilities in complain mode" has been added to the 3.0-stable tree

Tue, 02 Aug 2011 15:09:09 -0700 

This is a note to let you know that I've just added the patch titled

    AppArmor: Fix masking of capabilities in complain mode

to the 3.0-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     apparmor-fix-masking-of-capabilities-in-complain-mode.patch
and it can be found in the queue-3.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From 25e75dff519bcce2cb35023105e7df51d7b9e691 Mon Sep 17 00:00:00 2001
From: John Johansen <[email protected]>
Date: Sat, 25 Jun 2011 16:57:07 +0100
Subject: AppArmor: Fix masking of capabilities in complain mode

From: John Johansen <[email protected]>

commit 25e75dff519bcce2cb35023105e7df51d7b9e691 upstream.

AppArmor is masking the capabilities returned by capget against the
capabilities mask in the profile.  This is wrong, in complain mode the
profile has effectively all capabilities, as the profile restrictions are
not being enforced, merely tested against to determine if an access is
known by the profile.

This can result in the wrong behavior of security conscience applications
like sshd which examine their capability set, and change their behavior
accordingly.  In this case because of the masked capability set being
returned sshd fails due to DAC checks, even when the profile is in complain
mode.

Kernels affected: 2.6.36 - 3.0.

Signed-off-by: John Johansen <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 security/apparmor/lsm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -127,7 +127,7 @@ static int apparmor_capget(struct task_s
        *inheritable = cred->cap_inheritable;
        *permitted = cred->cap_permitted;
 
-       if (!unconfined(profile)) {
+       if (!unconfined(profile) && !COMPLAIN_MODE(profile)) {
                *effective = cap_intersect(*effective, profile->caps.allow);
                *permitted = cap_intersect(*permitted, profile->caps.allow);
        }


Patches currently in stable-queue which might be from 
[email protected] are

queue-3.0/apparmor-fix-masking-of-capabilities-in-complain-mode.patch
queue-3.0/apparmor-fix-reference-to-rcu-protected-pointer-outside-of.patch

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to