reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN

Bug #1560583 reported by Jamie Strandboge on 2016-03-22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Tyler Hicks
Tyler Hicks

Bug Description

$ cat ./t
#include <tunables/global>

profile t {
   #include <abstractions/base>
   /bin/cat ixr,
   /sys/kernel/security/apparmor/profiles r,

$ sudo apparmor_parser -r ./t
$ sudo aa-exec -p t -- cat /sys/kernel/security/apparmor/profiles
cat: /sys/kernel/security/apparmor/profiles: Permission denied

kernel: [ 62.203035] audit: type=1400 audit(1458665428.726:128): apparmor="DENIED" operation="capable" profile="t" pid=3683 comm="cat" capability=33 capname="mac_admin"

This is new in the -15 kernel.

Changed in linux (Ubuntu):
milestone: none → ubuntu-16.04
milestone: ubuntu-16.04 → none
Changed in linux (Ubuntu):
status: Confirmed → In Progress
Tyler Hicks (tyhicks) wrote :

I've created patches to fix this issue and built test kernels. Patches and kernels can be found here:

In my testing, the patches fix this bug.

Tim Gardner (timg-tpi) on 2016-03-24
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Tyler Hicks (tyhicks) wrote :

Hi Tim - Thanks for scooping up those patches. I didn't intend for you to have to do that and planned to send them out this morning. I appreciate it! :)

John Johansen (jjohansen) wrote :

This is not an issue. It is working as designed and is necessary to open up the file for the stacking work.

This patch should be reverted immediately as it opens up a policy introspection hole.

John Johansen (jjohansen) wrote :

To clarify "necessary to open up".

1. the old behavior was wrong. It allowed introspection of policy in situation that it should not have.
2. In order to open up the profiles file so that more than the system root could introspect it, DAC restrictions needed to be removed and the permission checking of what is allowed needed to be moved fully into apparmor. Since there was not time for fine grained mediation in the first iteration, the tightest restriction with original intent was used.

That is that only the policy admin is allowed fully view of loaded policy. This can be opened up with further development but is the original intent of how policy introspection was supposed to work (hence #1 noting that implementation was flawed and wrong).

Tyler Hicks (tyhicks) wrote :

I spoke with John in IRC. While he still doesn't like the two patches that were written to fix this bug, he understands the reasoning.

They're needed for 16.04 so do not revert them.

In a future release, we'll do a more complete lock down of the apparmorfs profiles file and apparmorfs profile directory to satisfy the goal that John has.

John Johansen (jjohansen) wrote :

Please note, this will require future backport kernels to be patched to maintain this semantic for the LTS release. Upstream kernels and future ubuntu kernels will not retain the broken semantic.

Launchpad Janitor (janitor) wrote :
Download full text (4.2 KiB)

This bug was fixed in the package linux - 4.4.0-16.32

linux (4.4.0-16.32) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1561727

  * fix thermal throttling due to commit "Thermal: initialize thermal zone
    device correctly" (LP: #1561676)
    - Thermal: Ignore invalid trip points

  * Thinkpad T460: Trackpoint mouse buttons instantly generate "release" event
    on press (LP: #1553811)
    - SAUCE: (noup) Input: synaptics - handle spurious release of trackstick
      buttons, again

  * reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
    (LP: #1560583)
    - SAUCE: apparmor: Allow ns_root processes to open profiles file
    - SAUCE: apparmor: Consult sysctl when reading profiles in a user ns

  * linux: sync virtualbox drivers to 5.0.16-dfsg-2 (LP: #1561492)
    - ubuntu: vbox -- update to 5.0.16-dfsg-2

  * s390/kconfig: CONFIG_NUMA without CONFIG_NUMA_EMU does not make any sense on
    s390x (LP: #1557690)

  * spl/zfs fails to build on s390x (LP: #1519814)
    - [Config] s390x -- re-enable zfs
    - [Config] zfs -- disable powerpc until the test failures can be resolved

  * linux: sync to ZFS stable release (LP: #1561483)
    - SAUCE: (noup) Update spl to, zfs to

  * zfs: enable zfs for 64bit powerpc kernels (LP: #1558871)
    - [Packaging] zfs -- handle rprovides via dpkg-gencontrol
    - [Config] powerpc -- convert zfs configuration to custom_override

  * Memory arena corruption with FUSE (was Memory allocation failure crashes
    kernel hard, presumably related to FUSE) (LP: #1505948)
    - SAUCE: (noup) fuse: do not use iocb after it may have been freed
    - SAUCE: (noup) fuse: Add reference counting for fuse_io_priv

  * cgroup namespaces: add a 'nsroot=' mountinfo field (LP: #1560489)
    - SAUCE: (noup) cgroup namespaces: add a 'nsroot=' mountinfo field

  * linux packaging: clear remaining redundant delta (LP: #1560445)
    - [Debian] Remove generated intermediate files on clean

  * arm64: guest hangs when ntpd is running (LP: #1549494)
    - Revert "hrtimer: Add support for CLOCK_MONOTONIC_RAW"
    - Revert "hrtimer: Catch illegal clockids"
    - Revert "KVM: arm/arm64: timer: Switch to CLOCK_MONOTONIC_RAW"

  * Need enough contiguous memory to support GICv3 ITS table (LP: #1558828)
    - [Config] CONFIG_FORCE_MAX_ZONEORDER=13 on arm64
    - SAUCE: (no-up) arm64: gicv3: its: Increase FORCE_MAX_ZONEORDER for Cavium

  * update arcmsr to version v1.30.00.22-20151126 to fix card timeouts
    (LP: #1559609)
    - arcmsr: fixed getting wrong configuration data
    - arcmsr: fixes not release allocated resource
    - arcmsr: make code more readable
    - arcmsr: adds code to support new Areca adapter ARC1203
    - arcmsr: changes driver version number
    - arcmsr: more readability improvements
    - arcmsr: Split dma resource allocation to a new function
    - arcmsr: change driver version to v1.30.00.22-20151126

  * server image has no keyboard, desktop image works (LP: #1559692)
    - [Config] Rework input-modules (d-i) list

  * PMU sup...


Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers