UBUNTU: SAUCE: apparmor: Allow ns_root processes to open profiles file

BugLink: https://launchpad.net/bugs/1560583 Change the apparmorfs profiles file permissions check to better match the old requirements before the apparmorfs permissions were changed to allow profile loads inside of confined, first-level user namespaces. Historically, the profiles file has been readable by the root user and group. A recent change added the requirement that the process have the CAP_MAC_ADMIN capability. This is a problem for confined processes since keeping the 'capability mac_admin,' rule out of the AppArmor profile is often desired. This patch replaces the CAP_MAC_ADMIN requirement with a requirement that the process is root in its user namespace. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

UBUNTU: SAUCE: apparmor: Allow ns_root processes to open profiles file
BugLink: https://launchpad.net/bugs/1560583 Change the apparmorfs profiles file permissions check to better match the old requirements before the apparmorfs permissions were changed to allow profile loads inside of confined, first-level user namespaces. Historically, the profiles file has been readable by the root user and group. A recent change added the requirement that the process have the CAP_MAC_ADMIN capability. This is a problem for confined processes since keeping the 'capability mac_admin,' rule out of the AppArmor profile is often desired. This patch replaces the CAP_MAC_ADMIN requirement with a requirement that the process is root in its user namespace. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
7c0f2425 · Tyler Hicks · Tim Gardner · c4ee151d · 7c0f2425 · 7c0f2425
Commit 7c0f2425 authored Mar 23, 2016 by Tyler Hicks Committed by Tim Gardner Apr 06, 2016
Showing with 19 additions and 1 deletion

security/apparmor/apparmorfs.c security/apparmor/apparmorfs.c +1 -1

security/apparmor/include/policy.h security/apparmor/include/policy.h +1 -0

security/apparmor/policy.c security/apparmor/policy.c +17 -0

No files found.
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -994,7 +994,7 @@ static const struct seq_operations aa_fs_profiles_op = {

 static int profiles_open(struct inode *inode, struct file *file)
 {
-	if (!policy_admin_capable())
+	if (!aa_may_open_profiles())
 		return -EACCES;

 	return seq_open(file, &aa_fs_profiles_op);

--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -281,6 +281,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
 }

 bool policy_admin_capable(void);
+bool aa_may_open_profiles(void);
 int aa_may_manage_policy(struct aa_label *label, u32 mask);

 #endif /* __AA_POLICY_H */
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -624,6 +624,23 @@ bool policy_admin_capable(void)
 	bool response = false;

 	if (ns_capable(user_ns, CAP_MAC_ADMIN) &&
+	    (user_ns == &init_user_ns ||
+	     (user_ns->level == 1 && ns != root_ns)))
+		response = true;
+	aa_put_ns(ns);
+
+	return response;
+}
+
+bool aa_may_open_profiles(void)
+{
+	struct user_namespace *user_ns = current_user_ns();
+	struct aa_ns *ns = aa_get_current_ns();
+	bool root_in_user_ns = uid_eq(current_euid(), make_kuid(user_ns, 0)) ||
+			       in_egroup_p(make_kgid(user_ns, 0));
+	bool response = false;
+
+	if (root_in_user_ns &&
 	    (user_ns == &init_user_ns ||
 	     (unprivileged_userns_apparmor_policy != 0 &&
 	      user_ns->level == 1 && ns != root_ns)))