mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-12 21:44:06 +08:00
25e75dff51
AppArmor is masking the capabilities returned by capget against the capabilities mask in the profile. This is wrong, in complain mode the profile has effectively all capabilities, as the profile restrictions are not being enforced, merely tested against to determine if an access is known by the profile. This can result in the wrong behavior of security conscience applications like sshd which examine their capability set, and change their behavior accordingly. In this case because of the masked capability set being returned sshd fails due to DAC checks, even when the profile is in complain mode. Kernels affected: 2.6.36 - 3.0. Signed-off-by: John Johansen <john.johansen@canonical.com> |
||
---|---|---|
.. | ||
apparmor | ||
integrity/ima | ||
keys | ||
selinux | ||
smack | ||
tomoyo | ||
capability.c | ||
commoncap.c | ||
device_cgroup.c | ||
inode.c | ||
Kconfig | ||
lsm_audit.c | ||
Makefile | ||
min_addr.c | ||
security.c |