Hi John, On Tue, Jun 26, 2012 at 10:48:38AM -0700, John Johansen wrote: > On 06/23/2012 11:53 AM, intrigeri wrote: > > John Johansen wrote (17 Jun 2012 19:08:20 GMT) : > >> On 06/15/2012 05:08 PM, Ben Hutchings wrote: > >>>> > >>>>>> If we don't want to restrict sockets used by the kernel, don't we need > >>>>>> to store the kern flag for later use by aa_revalidate_sk()? > >>>>>> > >>>>> For how apparmor is generally deployed it can get away with this, the > >>>>> kernel bits generally bail out earlier on the check for unconfined. > >>>> > >>>>> That is not to say it isn't a good idea, or that it shouldn't be done. > >>>>> The fact is this patch is going to be replaced with completely rewritten > >>>>> controls, that do store info on the socket, it just hasn't happened yet > >>>>> due to resources and priorities (not my priorities). > >>>> > >>>> Ben, is this a blocker? > >>> > >>> I want to be convinced that this is not a bug, or else get a fix for it. > >>> > >> I am looking at the kernel bits here, but I don't have a patch yet > > > > Do you think you'll manage to do it in time for the Wheezy freeze > > (June 30th)? > > > >>>>>> Since denied has already been masked with ~quiet_mask, this condition > >>>>>> can never be true. > >>>>>> > >>>>> indeed > >>>> > >>>> Ben, is this a blocker? > >>> [...] > >>> > >>> This clearly is a bug and I want to be convinced that it is harmless or > >>> else get a fix for it. > >>> > >> Right this breaks the controls over quieting of denial messages. Basically > >> if policy specifies a reject should not be logged then the global controls > >> that turn quieting off so that all rejects get logged aren't working for > >> networking. > > > >> This is an easy patch that I can provide separately or with the > >> patch I am working on for the larger issue. > > > > Do you think you'll manage to prepare at least the easy fix it in time > > for the Wheezy freeze? > > > > Okay, there are 4 kernel patches, not all of them are needed depending on > whether > the network patch is applied or not. > > If you don't want to apply the networking patch > 0001-apparmor-remove-advertising-the-support-of-network-r.patch > > Stops the kernel interface from incorrectly advertising that it supports > network > rules. A further patch (not attached) to userspace will also have to be > applied > > If the networking patch is applied > these two patches can be applied or ignored, 0001 will be folded into the > compat > interface patch upstream, and then 0002 will be folded into the networking > patch > 0001-apparmor-remove-advertising-the-support-of-network-r.patch > 0002-apparmor-Advertise-network-mediation-from-the-compat.patch > > these two patches address the two bugs pointed out in the networking patch > 0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch > 0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch
My preference would be to apply the networking patch, along with 0003 and 0004 posted here. -Kees -- Kees Cook -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
