tmakin/tegra-linux-noble
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

UBUNTU: SAUCE: apparmor4.0.0 [78/90]: apparmor: remove explicit restriction that unconfined cannot use change_hat

Browse Source 
BugLink: http://bugs.launchpad.net/bugs/2028253

There does not need to be an explicit restriction that unconfined
can't use change_hat. Traditionally unconfined doesn't have hats
so change_hat could not be used. But newer unconfined profiles have
the potential of having hats, and even system unconfined will be
able to be replaced with a profile that allows for hats.

To remain backwards compitible with expected return codes, continue
to return -EPERM if the unconfined profile does not have any hats.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 743c6fbedea1e07fd7226380c758ebe9c140247c
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
This commit is contained in:
John Johansen
2024-01-19 00:24:03 -08:00
committed by Paolo Pisati
parent 950e035f04
commit 9cdbe16a23
2 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
security/apparmor/apparmorfs.c
+1
View File
@@ -2568,6 +2568,7 @@ static struct aa_sfs_entry aa_sfs_entry_attach[] = {
static struct aa_sfs_entry aa_sfs_entry_domain[] = {
AA_SFS_FILE_BOOLEAN("change_hat", 1),
AA_SFS_FILE_BOOLEAN("change_hatv", 1),
AA_SFS_FILE_BOOLEAN("unconfined_allowed_children", 1),
AA_SFS_FILE_BOOLEAN("change_onexec", 1),
AA_SFS_FILE_BOOLEAN("change_profile", 1),
AA_SFS_FILE_BOOLEAN("stack", 1),
security/apparmor/domain.c
+17 -3
View File
@@ -1197,10 +1197,24 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
ctx->nnp = aa_get_label(label);
/* return -EPERM when unconfined doesn't have children to avoid
* changing the traditional error code for unconfined.
*/
if (unconfined(label)) {
info = "unconfined can not change_hat";
error = -EPERM;
goto fail;
struct label_it i;
bool empty = true;
rcu_read_lock();
label_for_each_in_ns(i, labels_ns(label), label, profile) {
empty &= list_empty(&profile->base.profiles);
}
rcu_read_unlock();
if (empty) {
info = "unconfined can not change_hat";
error = -EPERM;
goto fail;
}
}
if (count) {