From fc17abbe85db10f0324951048894cddcf1bdb72d Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sat, 25 Jun 2011 16:57:07 +0100 Subject: AppArmor: Fix masking of capabilities in complain mode commit 25e75dff519bcce2cb35023105e7df51d7b9e691 upstream. AppArmor is masking the capabilities returned by capget against the capabilities mask in the profile. This is wrong, in complain mode the profile has effectively all capabilities, as the profile restrictions are not being enforced, merely tested against to determine if an access is known by the profile. This can result in the wrong behavior of security conscience applications like sshd which examine their capability set, and change their behavior accordingly. In this case because of the masked capability set being returned sshd fails due to DAC checks, even when the profile is in complain mode. Kernels affected: 2.6.36 - 3.0. Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman Change-Id: Id665e36b12510c35d345329339cb17c793c65456 Reviewed-on: http://gerrit.lud.stericsson.com/gerrit/35671 Tested-by: Per VAHLNE Reviewed-by: Jonas ABERG --- security/apparmor/lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 3d2fd141dff..37832026e58 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -127,7 +127,7 @@ static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, *inheritable = cred->cap_inheritable; *permitted = cred->cap_permitted; - if (!unconfined(profile)) { + if (!unconfined(profile) && !COMPLAIN_MODE(profile)) { *effective = cap_intersect(*effective, profile->caps.allow); *permitted = cap_intersect(*permitted, profile->caps.allow); } -- cgit v1.2.3