[PATCH] apparmor: Restore Y/N in /sys for apparmor's "enabled"

John Johansen john.johansen at canonical.com
Tue Apr 9 21:17:03 UTC 2019


On 4/9/19 1:11 PM, James Morris wrote:
> On Tue, 9 Apr 2019, Kees Cook wrote:
> 
>> On Mon, Apr 8, 2019 at 11:21 PM David Rheinsberg
>> <david.rheinsberg at gmail.com> wrote:
>>>
>>> Hi
>>>
>>> On Mon, Apr 8, 2019 at 6:07 PM Kees Cook <keescook at chromium.org> wrote:
>>>>
>>>> Before commit c5459b829b71 ("LSM: Plumb visibility into optional "enabled"
>>>> state"), /sys/module/apparmor/parameters/enabled would show "Y" or "N"
>>>> since it was using the "bool" handler. After being changed to "int",
>>>> this switched to "1" or "0", breaking the userspace AppArmor detection
>>>> of dbus-broker. This restores the Y/N output while keeping the LSM
>>>> infrastructure happy.
>>>>
>>>> Before:
>>>>         $ cat /sys/module/apparmor/parameters/enabled
>>>>         1
>>>>
>>>> After:
>>>>         $ cat /sys/module/apparmor/parameters/enabled
>>>>         Y
>>>>
>>>> Reported-by: David Rheinsberg <david.rheinsberg at gmail.com>
>>>> Link: https://lkml.kernel.org/r/CADyDSO6k8vYb1eryT4g6+EHrLCvb68GAbHVWuULkYjcZcYNhhw@mail.gmail.com
>>>> Fixes: c5459b829b71 ("LSM: Plumb visibility into optional "enabled" state")
>>>> Signed-off-by: Kees Cook <keescook at chromium.org>
>>>> ---
>>>> This fix, if John is okay with it, is needed in v5.1 to correct the
>>>> userspace regression reported by David.
>>>> ---
>>>>  security/apparmor/lsm.c | 49 ++++++++++++++++++++++++++++++++++++++++-
>>>>  1 file changed, 48 insertions(+), 1 deletion(-)
>>>
>>> This looks good to me. Thanks a lot! If this makes v5.1, I will leave
>>> the apparmor-detection in dbus-broker as it is, unless someone asks me
>>> to parse 0/1 as well?
>>>
>>> I cannot judge whether the apparmor_initialized check is correct, but
>>> for the parameter parsing:
>>>
>>> Reviewed-by: David Rheinsberg <david.rheinsberg at gmail.com>
>>
>> Thanks!
>>
>> James, are you able to take this for v5.1 fixes?
> 
> Actually, JJ usually submits directly to Linus.  
> 

yeah, I can push this up



More information about the Linux-security-module-archive mailing list