change_profile requires separate permission rule to access /proc interface

Bug #979135 reported by John Johansen on 2012-04-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Medium
Unassigned

Bug Description

When a profile contains a rule granting permission to use the change_profile interface

  Eg.
  change_profile -> **,

it is not enough permissions to actually use the interface, because write permission to access the interface at
   /proc/self/attr/{current,exec} w,

is also needed.

If a change_profile rule is present it should imply that this permission is granted

Steve Beattie (sbeattie) wrote :

Committed in trunk revno 2030

Changed in apparmor:
status: New → Fix Committed
milestone: none → 2.8.0
importance: Undecided → Medium
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers