[6.8-rc1 Regression] Unable to exec apparmor_parser from virt-aa-helper

Linus Torvalds torvalds at linux-foundation.org
Wed Jan 24 17:10:58 UTC 2024


On Wed, 24 Jan 2024 at 08:54, Linus Torvalds
<torvalds at linux-foundation.org> wrote:
>
> Hmm. That whole thing is disgusting. I think it should have checked
> FMODE_EXEC, and I have no idea why it doesn't.

Maybe because FMODE_EXEC gets set for uselib() calls too? I dunno. I
think it would be even better if we had the 'intent' flags from
'struct open_flags' available, but they aren't there in the
file_open() security chain.

Anyway, moving current->in_execve earlier looks fairly trivial, but I
worry about the randomness. I'd be *so*( much happier if this crazy
flag went away, and it got changed to look at the open intent instead.

Attached patch is ENTIRELY UNTESTED. And disgusting.

I went back and looked. This whole disgusting thing goes back to 2009
and commit f9ce1f1cda8b ("Add in_execve flag into task_struct").

              Linus


More information about the Linux-security-module-archive mailing list