apparmor kernel should validate task structure when DEBUG_CREDENTIALS is enabled
Bug #1848600 reported by
Steve Beattie
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
When DEBUG_CREDENTIALS is enabled in the kernel config, the apparmor LSM should at a minimum invoke validate_creds() to ensure the credentials struct is at least minimally sane. Longer term, we could look at more complex sanity checking, to attemp to detect that an attacker has not manipulated data structures to subvert what apparmor policy should be enforced.
(Not sure how this plays with the stacking patches.)
To post a comment you must log in.