Re: [6.8-rc1 Regression] Unable to exec apparmor_parser from virt-aa-helper
From: Kees Cook
Date: Wed Jan 24 2024 - 14:02:50 EST
On Wed, Jan 24, 2024 at 10:27:03AM -0800, Linus Torvalds wrote:
> On Wed, 24 Jan 2024 at 09:27, Linus Torvalds
> <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > IOW, I think the goal here should be "minimal fix" followed by "remove
> > that horrendous thing".
>
> Ugh. The tomoyo use is even *more* disgusting, in how it uses it for
> "tomoyo_domain()" entirely independently of even the ->file_open()
> callback.
Yeah, I just sent a similar email.
> So for tomoyo, it's not about the file open, it's about
> tomoyo_cred_prepare() and friends.
Yeah, it looks like it should happily follow cred lifetime, but I
haven't fully convinced myself.
> So the patch I posted probably fixes apparmor, but only breaks tomoyo
> instead, because tomoyo really does seem to use it around the whole
> security_bprm_creds_for_exec() thing.
>
> Now, tomoyo *also* uses it for the file_open() callback, just to confuse things.
>
> IOW, I think the right thing to do is to split this in two:
>
> - leave the existing ->in_execve for the bprm_creds dance in
> boprm_execve(). Horrendous and disgusing.
Agreed.
> - the ->file_open() thing is changed to check file->f_flags
Agreed. (And I've tested this for AppArmor now. I can confirm the
failure case -- it's only for profile transitions, which is why I didn't
see it originally in testing.
> IOW, I think the patch I posted earlier - and Kees' version of the
> same thing - is just broken. This attached patch might work.
Yup. Should I post a formal patch, or do you want to commit what you've
got (with the "file" -> "f" fix)?
-Kees
--
Kees Cook