libapparmor: Adjust stacking interface check (!713) · Merge requests · AppArmor / apparmor

John Johansen requested to merge jjohansen/apparmor:fix-attr-check into master Feb 16, 2021

TODO: tests

libapparmor performs a test for the new stacking interface, however how it does this test is problematic as it requires all confined tasks to be given read access to the task introspection interface.

This results in tasks needing to be given read access to the interface even if they don't need it. Making it possible for tasks to discover their confinement even if they are not supposed to be able to.

Instead change the check to using state on the parent directory. This will generate a getattr request instead of read and make it on the directory instead of on any interface file that could be used to obtain information.

Signed-off-by: John Johansen john.johansen@canonical.com

Edited Jul 21, 2021 by John Johansen

libapparmor: Adjust stacking interface check

Merge request reports