On 10/08/2014 02:04 PM, Seth Arnold wrote: > On Wed, Oct 08, 2014 at 01:24:50PM -0500, Jamie Strandboge wrote: >> >> -- >> Jamie Strandboge http://www.ubuntu.com/ > >> Description: update dnsmasq for read access to /proc/sys/kernel/cap_last_cap >> Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1378977 >> >> Acked-By: Jamie Strandboge <[email protected]> > > This has the feeling of something that's unlikely to be spceial to > dnsmasq; it'd be lovely to know which API it's using that does this so we > can better figure an abstraction to put it with. (base comes to mind, but > perhaps that's just further abuse of poor old base.) > I don't know what started using it. I didn't see any other policy requiring it so I filed it against dnsmasq. That said, I found: http://lkml.iu.edu/hypermail/linux/kernel/1110.1/02980.html
"Userspace needs to know the highest valid capability of the running kernel, which right now cannot reliably be retrieved from the header files only. The fact that this value cannot be determined properly right now creates various problems for libraries compiled on newer header files which are run on older kernels. They assume capabilities are available which actually aren't. Now the capability is exported in /proc/sys/kernel/cap_last_cap." I don't think we need to investigate further, this seems appropriate for the base abstraction. Attached is a new patch to do that. -- Jamie Strandboge http://www.ubuntu.com/
Description: update base abstraction read access to /proc/sys/kernel/cap_last_cap. This is needed to determine the highest valid capability of the running kernel. Reference: https://lkml.org/lkml/2011/10/15/42 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1378977 Acked-By: Jamie Strandboge <[email protected]> === modified file 'profiles/apparmor.d/abstractions/base' --- profiles/apparmor.d/abstractions/base 2014-09-05 18:08:55 +0000 +++ profiles/apparmor.d/abstractions/base 2014-10-08 19:38:06 +0000 @@ -103,6 +103,9 @@ # glibc malloc (man 5 proc) @{PROC}/sys/vm/overcommit_memory r, + # Allow determining the highest valid capability of the running kernel + @{PROC}/sys/kernel/cap_last_cap r, + # Allow other processes to read our /proc entries, futexes, perf tracing and # kcmp for now (they will need 'read' in the first place). Administrators can # override with:
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
