On 12/13/2021 4:28 PM, John Johansen wrote:
On 12/13/21 9:48 AM, Casey Schaufler wrote:
The Ubuntu kernel has "subj=unconfined" in its audit records.
The Linus v5.16-rc4 kernel has "subj==unconfined".
I see in the upstream where the extra "=" comes from, but I
I assume this is from
label.c:
1634: if (flags & FLAG_ABS_ROOT) {
1635: ns = root_ns;
1636: len = snprintf(str, size, "=");
1637: update_for_len(total, len, size, str);
1638: } else if (!ns) {
Its is called when secids are being used without context.
this was an unfortunate choice made long ago. It is something
I have looked at removing, and if this is rearing its head
with upstream kernels we will have to fix it asap.
I see it on an Ubuntu system with 5.16-rc4.
type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'
don't see how to get to that code. I have not looked into the
patches Ubuntu is using, but there must be something.
You won't find the code that calls this for some Ubuntu kernels
because secid auditing was reverted so the LSM stacking patches
could be used with extended network mediation (af_unix) could be
used without issues.
This is something that needs to be fixed as well.
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
