Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3962879yba; Tue, 9 Apr 2019 08:18:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqyOLCCAu7/WQ3wdz5YNkobMNMVFmEz8fjxF4pG0GDGzkD3Z2UjnwcLj8GCoiL+fqGGu0x2V X-Received: by 2002:a63:90c3:: with SMTP id a186mr28548454pge.306.1554823114287; Tue, 09 Apr 2019 08:18:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554823114; cv=none; d=google.com; s=arc-20160816; b=urLQK4fk84vCY3pSdob6Hm8s3qSVEsp6h5NhzFaVVDtATfdYajT0CzSxQuuV2czi49 qzW6iHdKeRF5i6BWt1aKGO0BxlmvJc0aR2SXjzE6QHKqBuFhbQzAD92ZwUWXhllHc4o2 6UgdJCdgqnk/kyEvCtly4OGKGU2ZnN2nyHu4iGbe+z7+unK63/G2m/4mYX/GH0P5LHXw ZOCK5yToEF+qQjB8OXnuenYdJOGoAtFjaPZn3HtUGAhtc4nnkfGW3UdQo6eUcdJw0NuD rDQ/GNsr6zQJGGe3BeaulWt87zb7MGczJAZGhTL9cyRWwuVhaerciECmf0zMdqUC8RC4 +2Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=es5FMlhoG3Dzj0CCqBc3VbIdj5L3WT9j6lpixo2Q050=; b=mF9ygiTcLfradhGkQnNqeM1J3w4DK4PIelpqOeOq0jL9HOe5zMsfuEZmtE1bGtdNYR e0M9Sc4cWEUFch9pR4QabQvFAo57dzviUVAyMj1/OALytrc8m9WPivEkka9mDfA/rcB0 8ErHPlzd4m2uY7f6XFPWjl2zmOFjDPcQPr9s2lCry2kZIm49hn1AOp7zfod+zeOljUX5 0JBE4zpLE8dcIjX0CBOl6XmFdggm02tH/pFSus43dD+T/jQVVEa/xuB+707fZxY7A2bP zpFKV2oFWN2USPcBMp4KdHc2U+V3m631oxH02coZybjB5pRKrICY5y07MIrGXYsE5PBs EV8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=XT4TipiS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m12si29210688pgc.157.2019.04.09.08.18.17; Tue, 09 Apr 2019 08:18:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=XT4TipiS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726572AbfDIPQw (ORCPT + 99 others); Tue, 9 Apr 2019 11:16:52 -0400 Received: from mail-vs1-f67.google.com ([209.85.217.67]:38513 "EHLO mail-vs1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726463AbfDIPQv (ORCPT ); Tue, 9 Apr 2019 11:16:51 -0400 Received: by mail-vs1-f67.google.com with SMTP id s2so10018287vsi.5 for ; Tue, 09 Apr 2019 08:16:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=es5FMlhoG3Dzj0CCqBc3VbIdj5L3WT9j6lpixo2Q050=; b=XT4TipiSkvX3yxUIAohXEKu2mIRwF9mXKeBW2ZSWRCIijWuhy5YEy8NQ3TGAQDSulW IqSYyCSwnALXTfvxqQGmwQwYmnJixyunytWiIt4gvjdZqiSxNYmHOf+8QzbmN15z9qtv sOELSSSMepN26NxQWqy0nP92XODunALGR2zQI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=es5FMlhoG3Dzj0CCqBc3VbIdj5L3WT9j6lpixo2Q050=; b=NN/CJkpw8twn/mtu5eQ2hczvBgSUOIPLq192kgdWRcaRLZB8f0RC5+afJgFB1xXGj7 jXoqyldxyIbkq/d7QprCMlqeA2gpWRL4rWv1l8YMMjMhm7JxcQmplMNIki4d2pSjuI44 AoZTnSM2YS+JZCEwLf37sctUa39DhRWLkJ/zPW50YVNyI+WCraIZmy7ceIX8SgxiFyln rKExxn3s6ihkVLuryNkJxFSH2uxBf+lyp3tvxe2alXWvYBD/TMNXyn+QbCcpjcw6wrA+ UNRjXiCmmsCvY0XT91ZClnioKUVFgvJ/NAsLG0BZXD953bb7CqCsG8Jhm+i6SphCn4dv mxBg== X-Gm-Message-State: APjAAAUAYVvY2IC0wbH+75hfwfUs6Beh8/rEK2ucun4IRQrJ0WWx36Y8 Om/pe8w28VGjyD1jeJ7/uEr8YwLi+9o= X-Received: by 2002:a67:e256:: with SMTP id w22mr8925598vse.173.1554823009638; Tue, 09 Apr 2019 08:16:49 -0700 (PDT) Received: from mail-vs1-f46.google.com (mail-vs1-f46.google.com. [209.85.217.46]) by smtp.gmail.com with ESMTPSA id y64sm7457899vkd.26.2019.04.09.08.16.47 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Apr 2019 08:16:48 -0700 (PDT) Received: by mail-vs1-f46.google.com with SMTP id j184so10003312vsd.11 for ; Tue, 09 Apr 2019 08:16:47 -0700 (PDT) X-Received: by 2002:a67:7816:: with SMTP id t22mr19790120vsc.115.1554823007449; Tue, 09 Apr 2019 08:16:47 -0700 (PDT) MIME-Version: 1.0 References: <20190408160706.GA18786@beast> In-Reply-To: From: Kees Cook Date: Tue, 9 Apr 2019 08:16:35 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] apparmor: Restore Y/N in /sys for apparmor's "enabled" To: David Rheinsberg Cc: James Morris , John Johansen , "Serge E. Hallyn" , linux-security-module , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 8, 2019 at 11:21 PM David Rheinsberg wrote: > > Hi > > On Mon, Apr 8, 2019 at 6:07 PM Kees Cook wrote: > > > > Before commit c5459b829b71 ("LSM: Plumb visibility into optional "enabled" > > state"), /sys/module/apparmor/parameters/enabled would show "Y" or "N" > > since it was using the "bool" handler. After being changed to "int", > > this switched to "1" or "0", breaking the userspace AppArmor detection > > of dbus-broker. This restores the Y/N output while keeping the LSM > > infrastructure happy. > > > > Before: > > $ cat /sys/module/apparmor/parameters/enabled > > 1 > > > > After: > > $ cat /sys/module/apparmor/parameters/enabled > > Y > > > > Reported-by: David Rheinsberg > > Link: https://lkml.kernel.org/r/CADyDSO6k8vYb1eryT4g6+EHrLCvb68GAbHVWuULkYjcZcYNhhw@mail.gmail.com > > Fixes: c5459b829b71 ("LSM: Plumb visibility into optional "enabled" state") > > Signed-off-by: Kees Cook > > --- > > This fix, if John is okay with it, is needed in v5.1 to correct the > > userspace regression reported by David. > > --- > > security/apparmor/lsm.c | 49 ++++++++++++++++++++++++++++++++++++++++- > > 1 file changed, 48 insertions(+), 1 deletion(-) > > This looks good to me. Thanks a lot! If this makes v5.1, I will leave > the apparmor-detection in dbus-broker as it is, unless someone asks me > to parse 0/1 as well? > > I cannot judge whether the apparmor_initialized check is correct, but > for the parameter parsing: > > Reviewed-by: David Rheinsberg Thanks! James, are you able to take this for v5.1 fixes? -- Kees Cook