On Wed, Oct 08, 2014 at 02:40:11PM -0500, Jamie Strandboge wrote: > On 10/08/2014 02:04 PM, Seth Arnold wrote: > > On Wed, Oct 08, 2014 at 01:24:50PM -0500, Jamie Strandboge wrote: > >> > >> -- > >> Jamie Strandboge http://www.ubuntu.com/ > > > >> Description: update dnsmasq for read access to > >> /proc/sys/kernel/cap_last_cap > >> Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1378977 > >> > >> Acked-By: Jamie Strandboge <[email protected]> > > > > This has the feeling of something that's unlikely to be spceial to > > dnsmasq; it'd be lovely to know which API it's using that does this so we > > can better figure an abstraction to put it with. (base comes to mind, but > > perhaps that's just further abuse of poor old base.) > > > I don't know what started using it. I didn't see any other policy requiring it > so I filed it against dnsmasq. That said, I found: > http://lkml.iu.edu/hypermail/linux/kernel/1110.1/02980.html > > "Userspace needs to know the highest valid capability of the running > kernel, which right now cannot reliably be retrieved from the header > files only. The fact that this value cannot be determined properly > right now creates various problems for libraries compiled on newer > header files which are run on older kernels. They assume > capabilities are available which actually aren't. > > Now the capability is exported in /proc/sys/kernel/cap_last_cap." > > I don't think we need to investigate further, this seems appropriate for the > base abstraction. Attached is a new patch to do that. > > > > -- > Jamie Strandboge http://www.ubuntu.com/
> Description: update base abstraction read access to > /proc/sys/kernel/cap_last_cap. This is needed to determine the highest valid > capability of the running kernel. Reference: > https://lkml.org/lkml/2011/10/15/42 > Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1378977 > > Acked-By: Jamie Strandboge <[email protected]> > Yeah, seems good to me. Acked-by: Seth Arnold <[email protected]> Thanks > === modified file 'profiles/apparmor.d/abstractions/base' > --- profiles/apparmor.d/abstractions/base 2014-09-05 18:08:55 +0000 > +++ profiles/apparmor.d/abstractions/base 2014-10-08 19:38:06 +0000 > @@ -103,6 +103,9 @@ > # glibc malloc (man 5 proc) > @{PROC}/sys/vm/overcommit_memory r, > > + # Allow determining the highest valid capability of the running kernel > + @{PROC}/sys/kernel/cap_last_cap r, > + > # Allow other processes to read our /proc entries, futexes, perf tracing > and > # kcmp for now (they will need 'read' in the first place). Administrators > can > # override with: > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
