linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [REGRESSION] AppArmor module parameter layout changed with c5459b829b716
@ 2019-04-08  7:21 David Rheinsberg
  2019-04-08 15:02 ` Kees Cook
  0 siblings, 1 reply; 2+ messages in thread
From: David Rheinsberg @ 2019-04-08  7:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: John Johansen, James Morris, Serge E. Hallyn,
	linux-security-module, Kees Cook, Casey Schaufler

Hi

A recent commit changed how `/sys/module/apparmor/parameters/enabled`
looks. It was "Y"/"N" before, now it is an integer. I *think* the
commit that changed this was:

commit c5459b829b716dafd226ad270f25c9a3050f7586
Author: Kees Cook <keescook@chromium.org>
Date:   Thu Sep 13 22:28:48 2018 -0700

    LSM: Plumb visibility into optional "enabled" state

I haven't recompiled with a revert, but changing the module-parameter
type looks like the obvious culprit. I don't see how this change can
be safe?

This breaks the AppArmor detection of `dbus-broker`. Can the commit be reverted?

Thanks
David

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [REGRESSION] AppArmor module parameter layout changed with c5459b829b716
  2019-04-08  7:21 [REGRESSION] AppArmor module parameter layout changed with c5459b829b716 David Rheinsberg
@ 2019-04-08 15:02 ` Kees Cook
  0 siblings, 0 replies; 2+ messages in thread
From: Kees Cook @ 2019-04-08 15:02 UTC (permalink / raw)
  To: David Rheinsberg
  Cc: LKML, John Johansen, James Morris, Serge E. Hallyn,
	linux-security-module, Casey Schaufler

On Mon, Apr 8, 2019 at 12:21 AM David Rheinsberg
<david.rheinsberg@gmail.com> wrote:
>
> Hi
>
> A recent commit changed how `/sys/module/apparmor/parameters/enabled`
> looks. It was "Y"/"N" before, now it is an integer. I *think* the
> commit that changed this was:

Oooh... the _output_ appears differently based on the type. Argh. Let
me work something up...

> commit c5459b829b716dafd226ad270f25c9a3050f7586
> Author: Kees Cook <keescook@chromium.org>
> Date:   Thu Sep 13 22:28:48 2018 -0700
>
>     LSM: Plumb visibility into optional "enabled" state
>
> I haven't recompiled with a revert, but changing the module-parameter
> type looks like the obvious culprit. I don't see how this change can
> be safe?
>
> This breaks the AppArmor detection of `dbus-broker`. Can the commit be reverted?

Thanks for catching this!

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-04-08 15:03 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-08  7:21 [REGRESSION] AppArmor module parameter layout changed with c5459b829b716 David Rheinsberg
2019-04-08 15:02 ` Kees Cook

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).