LSM stacking: add missing permissions for using new kernel interfaces

LSM stacking adds the new /proc/<pid>/attr/apparmor directory dedicated to apparmor so that it won't collide with other LSMs. The library has already been switched to using this interface by default, but the parser need to add permissions to access this location when hats and/or change_profile rules are defined. Also make sure to update the apache abstraction to support the new interface as well. Signed-off-by: John Johansen <john.johansen@canonical.com Acked-by: Seth Arnold <seth.arnold@canonical.com>
2025-08-30 22:05:27 +00:00 · 2020-05-03 00:04:21 -07:00
parent 6557e06019
commit dca5b452a5
2 changed files with 4 additions and 4 deletions
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -173,9 +173,9 @@ void post_process_file_entries(Profile *prof)
 	 * access to /proc/self/attr/current
 	 */
 	if (cp_mode & AA_CHANGE_PROFILE) {
-		/* FIXME: should use @{PROC}/@{PID}/attr/{current,exec} */
+		/* FIXME: should use @{PROC}/@{PID}/attr/{apparmor/,}{current,exec} */
 		struct cod_entry *new_ent;
-		char *buffer = strdup("/proc/*/attr/{current,exec}");
+		char *buffer = strdup("/proc/*/attr/{apparmor/,}{current,exec}");
 		if (!buffer) {
 			PERROR("Memory allocation error\n");
 			exit(1);
@@ -196,7 +196,7 @@ void post_process_rule_entries(Profile *prof)
 }


-#define CHANGEHAT_PATH "/proc/[0-9]*/attr/current"
+#define CHANGEHAT_PATH "/proc/[0-9]*/attr/{apparmor/,}current"

 /* add file rules to access /proc files to call change_hat()
 */