[PATCH 0/2] Quiet noisy LSM denial when accessing net sysctl

From: Tyler Hicks
Date: Fri May 06 2016 - 19:04:39 EST

Next message: Tyler Hicks: "[PATCH 1/2] kernel: Add noaudit variant of ns_capable()"
Previous message: Stephen Boyd: "Re: [PATCH v7 8/9] clk: mediatek: Add config options for MT2701 subsystem clocks"
Next in thread: Tyler Hicks: "[PATCH 1/2] kernel: Add noaudit variant of ns_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This pair of patches does away with what I believe is a useless denial
audit message when a privileged process initially accesses a net sysctl.

The bug was first discovered when running Go applications under AppArmor
confinement. It can be triggered like so:

$ echo "profile test { file, }" | sudo apparmor_parser -rq

Once the profile is loaded, invoke Go as root under confinement:

$ sudo aa-exec -p test -- go version
go version go1.6.1 linux/amd64

Here's the denial:

audit: type=1400 audit(1462575436.832:29): apparmor="DENIED" operation="capable" profile="test" pid=1157 comm="go" capability=12 capname="net_admin"

The reproducer in minimal form is:

$ sudo aa-exec -p test -- cat /proc/sys/net/core/somaxconn
128

The denial:

audit: type=1400 audit(1462575670.000:29): apparmor="DENIED" operation="capable" profile="test" pid=1161 comm="cat" capability=12 capname="net_admin"

Thanks!

Tyler

Next message: Tyler Hicks: "[PATCH 1/2] kernel: Add noaudit variant of ns_capable()"
Previous message: Stephen Boyd: "Re: [PATCH v7 8/9] clk: mediatek: Add config options for MT2701 subsystem clocks"
Next in thread: Tyler Hicks: "[PATCH 1/2] kernel: Add noaudit variant of ns_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]