]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commit
projects / mirror_ubuntu-kernels.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c76e20e) | patch
UBUNTU: SAUCE: apparmor: disable showing the mode as part of a secid to secctx
authorJohn Johansen <john.johansen@canonical.com>
Tue, 6 Oct 2020 21:43:16 +0000 (14:43 -0700)
committerAndrea Righi <andrea.righi@canonical.com>
Thu, 9 Mar 2023 14:57:23 +0000 (15:57 +0100)
commit125a9c42447c510ba7e9e6e3ef0b79f08b5c961c
tree8435e5d0411bc839efe5af69f8ae903167011ba8tree
parentc76e20e93ffd5dee291285f67bb9ac015e858942commit | diff
UBUNTU: SAUCE: apparmor: disable showing the mode as part of a secid to secctx

Displaying the mode as part of the seectx takes up unnecessary memory,
makes it so we can't use refcounted secctx so we need to alloc/free on
every conversion from secid to secctx and introduces a space that
could be potentially mishandled by tooling.

Eg. In an audit record we get

  subj_type=firefix (enforce)

Having the mode reported is not necessary, and might even be confusing
eg. when writing an audit rule to match the above record field you
would use

  -F subj_type=firefox

ie. the mode is not included. AppArmor provides ways to find the mode
without reporting as part of the secctx. So disable this by default
before its use is wide spread and we can't. For now we add a sysctl
to control the behavior as we can't guarentee no one is using this.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
security/apparmor/secid.c diff | blob | blame | history
Ubuntu combined Linux kernel mirror