[PATCH RESEND 0/2] Quiet noisy LSM denial when accessing net sysctl

From: Tyler Hicks
Date: Fri Jun 03 2016 - 00:43:38 EST

Next message: Tyler Hicks: "[PATCH RESEND 1/2] kernel: Add noaudit variant of ns_capable()"
Previous message: Al Viro: "Re: NFS/d_splice_alias breakage"
Next in thread: Tyler Hicks: "[PATCH RESEND 1/2] kernel: Add noaudit variant of ns_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm resending this patch set at the request of James Morris. This pair of
patches does away with what I believe is a useless denial audit message
when a privileged process initially accesses a net sysctl.

The bug was first discovered when running Go applications under AppArmor
confinement. It can be triggered like so:

$ echo "profile test { file, }" | sudo apparmor_parser -rq

Once the profile is loaded, invoke Go as root under confinement:

$ sudo aa-exec -p test -- go version
go version go1.6.1 linux/amd64

Here's the denial:

audit: type=1400 audit(1462575436.832:29): apparmor="DENIED" operation="capable" profile="test" pid=1157 comm="go" capability=12 capname="net_admin"

The reproducer in minimal form is:

$ sudo aa-exec -p test -- cat /proc/sys/net/core/somaxconn
128

The denial:

audit: type=1400 audit(1462575670.000:29): apparmor="DENIED" operation="capable" profile="test" pid=1161 comm="cat" capability=12 capname="net_admin"

Thanks!

Tyler

Next message: Tyler Hicks: "[PATCH RESEND 1/2] kernel: Add noaudit variant of ns_capable()"
Previous message: Al Viro: "Re: NFS/d_splice_alias breakage"
Next in thread: Tyler Hicks: "[PATCH RESEND 1/2] kernel: Add noaudit variant of ns_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]