apparmor: sysctl to enable unprivileged user ns AppArmor policy loading

If this sysctl is set to non-zero and a process with CAP_MAC_ADMIN in the root namespace has created an AppArmor policy namespace, unprivileged processes will be able to change to a profile in the newly created AppArmor policy namespace and, if the profile allows CAP_MAC_ADMIN and appropriate file permissions, will be able to load policy in the respective policy namespace. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2016-03-16 19:19:10 -05:00 · 2016-03-16 19:19:10 -05:00 · e3ea1ca59a
commit e3ea1ca59a
parent e025be0f26
2 changed files with 47 additions and 1 deletions
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@ -868,6 +868,46 @@ static int __init set_init_ctx(void)
 	return 0;
 }

+#ifdef CONFIG_SYSCTL
+static int apparmor_dointvec(struct ctl_table *table, int write,
+			     void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+	if (!policy_admin_capable(NULL))
+		return -EPERM;
+	if (!apparmor_enabled)
+		return -EINVAL;
+
+	return proc_dointvec(table, write, buffer, lenp, ppos);
+}
+
+static struct ctl_path apparmor_sysctl_path[] = {
+	{ .procname = "kernel", },
+	{ }
+};
+
+static struct ctl_table apparmor_sysctl_table[] = {
+	{
+		.procname       = "unprivileged_userns_apparmor_policy",
+		.data           = &unprivileged_userns_apparmor_policy,
+		.maxlen         = sizeof(int),
+		.mode           = 0600,
+		.proc_handler   = apparmor_dointvec,
+	},
+	{ }
+};
+
+static int __init apparmor_init_sysctl(void)
+{
+	return register_sysctl_paths(apparmor_sysctl_path,
+				     apparmor_sysctl_table) ? 0 : -ENOMEM;
+}
+#else
+static inline int apparmor_init_sysctl(void)
+{
+	return 0;
+}
+#endif /* CONFIG_SYSCTL */
+
 static int __init apparmor_init(void)
 {
 	int error;
@ -890,6 +930,13 @@ static int __init apparmor_init(void)
 		goto alloc_out;
 	}

+	error = apparmor_init_sysctl();
+	if (error) {
+		AA_ERROR("Unable to register sysctls\n");
+		goto alloc_out;
+
+	}
+
 	error = set_init_ctx();
 	if (error) {
 		AA_ERROR("Failed to set context on init task\n");
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@ -99,7 +99,6 @@ const char *const aa_profile_mode_names[] = {
 	"unconfined",
 };

-
 /* requires profile list write lock held */
 void __aa_update_proxy(struct aa_profile *orig, struct aa_profile *new)
 {