requested_mask="xwracdkm" denied_mask="xwracdkm" with link rule
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| AppArmor |
New
|
Undecided
|
Unassigned | ||
Bug Description
$ cat /proc/version_
Ubuntu 4.13.0-
I was testing link rules and was surprised to see a mask of "xwracdkm" in the denial. Here is a reproducer that simply tries to link to a file that has no rules but we have '/tmp/bug/mine/** rwklix,'
$ cd /tmp
$ tar -zxvf ./bug.tar.gz
bug/
bug/other/
bug/other/nope
bug/mine/
bug/mine/test.sh
bug/p
$ sudo apparmor_parser -r ./bug/p
$ aa-exec -p test -- ./bug/mine/test.sh
ln: failed to create hard link '/tmp/bug/
[1]
The link is correctly denied since we don't have access to the original file, but the mask looks weird.
kernel: audit: type=1400 audit(150713714
| Jamie Strandboge (jdstrand) wrote | #1 |
| description: | updated |
| John Johansen (jjohansen) wrote | #2 |
The permission output from the kernel is correct. The kernel has a more fine grained view of permission than userspace and there is not a 1:1 mapping.
What is wrong here is the kernel should be reporting that this is a failure in the link subset permission test.
That is that the link being created must have a subset of permission to those of its target so that a link can't be used to circumvent controls placed on the target.
The permissions being reported are the permissions not being allowed. That is the profile does NOT allow access to those requested permissions.