[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'

Tue, 20 Aug 2019 09:12:05 -0700 

Hello.

I would like to note, that when Linux kernel has been updated to
4.4.0-160.188 version[1] (with, among others, patches for LP:#1658219
and LP:#1838090), I've had to update a few profiles (such as Audacious,
Parole, Xorg, Logrotate etc.), because of a lot of "DENIED" entries in
system log files. If it's about access controls (vide
'requested{denied}_mask'): most new rules required 'm' (memory map as
executable), but some of them needed 'k' (file locking) etc.)

However, it seems everything is okay now and I hope, that there will be
no such issues anymore. Anyway, Mr Tyler Hicks was right: "users with
custom policy have some reasonable expectation that upgrading to the new
Ubuntu release or kernel version will require them to update their
custom policy".

By the way; what is an impact of these changes? (I mean LP:#1658219 and
LP:#1838090). Does it means, that now, use of 'm' and 'k' access is
secured/restricted/checked correctly by AppArmor? And one more thing:
this problem is related to v4.4 kernel only, right?


Thanks, best regards.
______________________
[1] https://launchpad.net/ubuntu/+source/linux/4.4.0-160.188

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1658219

Title:
  flock not mediated by 'k'

Status in AppArmor:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Yakkety:
  Won't Fix

Bug description:
  $ cat ./apparmor.profile 
  #include <tunables/global>

  profile test {
    #include <abstractions/base>

    /bin/bash ixr,
    /dev/pts/* rw,
    /usr/bin/flock ixr,
    # Not blocked:
    # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true
    /tmp/test.lock rw,

  }

  $ sudo apparmor_parser -r ./apparmor.profile

  $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes
  yes

  $ ls -l /tmp/test.lock 
  -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock

  The flock command uses flock(LOCK_EX) and I expected it to be blocked
  due to the lack of 'k'.

  apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic
  kernel on amd64.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to