• John Johansen's avatar
    AppArmor: Fix masking of capabilities in complain mode · 25e75dff
    John Johansen authored
    AppArmor is masking the capabilities returned by capget against the
    capabilities mask in the profile.  This is wrong, in complain mode the
    profile has effectively all capabilities, as the profile restrictions are
    not being enforced, merely tested against to determine if an access is
    known by the profile.
    
    This can result in the wrong behavior of security conscience applications
    like sshd which examine their capability set, and change their behavior
    accordingly.  In this case because of the masked capability set being
    returned sshd fails due to DAC checks, even when the profile is in complain
    mode.
    
    Kernels affected: 2.6.36 - 3.0.
    Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
    25e75dff
lsm.c 24.6 KB