stat() unconditionally allowed via apparmor_inode_getattr()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Triaged
|
Undecided
|
Unassigned |
Bug Description
$ cat /tmp/apparmor.
#include <tunables/global>
profile test {
#include <abstractions/base>
#include <abstractions/
/{,usr/}bin/cat ixr,
/{,usr/}bin/ls ixr,
/{,usr/}bin/stat ixr,
}
# create a file outside of confinement
$ touch /tmp/foo && ls /tmp/foo
/tmp/foo
# cannot list the directory (good)
$ sudo apparmor_parser -r /tmp/apparmor.
ls: cannot open directory '/tmp': Permission denied
# cannot read the file (good)
$ aa-exec -p test -- sh -c 'cat /tmp/foo'
cat: /tmp/foo: Permission denied
# can check for existence ('test -e' uses stat())
$ aa-exec -p test -- sh -c 'test -e /tmp/foo && echo yes'
yes
# can get the inode information via stat()
$ aa-exec -p test -- sh -c 'stat /tmp/foo'
File: '/tmp/foo'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd01h/64769d Inode: 131151 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1000/ jamie) Gid: ( 1000/ jamie)
Access: 2017-01-10 13:11:11.291703771 -0600
Modify: 2017-01-10 13:11:11.291703771 -0600
Change: 2017-01-10 13:11:11.291703771 -0600
Birth: -
What is happening is that fs/stat.c in the kernel calls out to security_
To fix this bug:
- read should continue to implictly grant getattr
- the policy language needs to be extended to allow specifying getattr separately from read
- the compier backend needs to support more permissions
- the kernel needs to turn on mediation of getattr
In order to do the above, the extended permissions work needs to be completed.