From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 64CD733290F; Mon, 13 Apr 2026 17:01:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776099689; cv=none; b=UUfZvMV/tAjS/+Vj+GyN9NYq12xlnlL3r8UIsvKWrQCjM3Ul6F51jZjpKrtIQIHn2awr/ohVUaNn4i02MLx0bimmGB5j9eKN/sLrET+nJXtBdRejOhn4FTgGt2QueN0vz4zESkHaU/c8Wq4i2dguJ+10qbMSn2mBtlZ6w9zzoXE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776099689; c=relaxed/simple; bh=ZgFs1mrujHw1Vz2Nbuzyy/X+GKLLVLbwZTyxgqRj8v8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=X2baBsfPP0Vvp+Wrangh8lmzCbH3xndGDDePiC/Ay2+c4dVavJOZwk35vuobfaJyF2ZFSaFjYSTNljWRhslAEAY2jYEkCLcgMngxaIP1/hbIGQN4Qxx6S5iJy2UjNChi8D5WVTpwhYg5coYEhNNay2YbTXr4Q4yjm1MZOxEc1mo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=o849Sa9g; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="o849Sa9g" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF06DC2BCAF; Mon, 13 Apr 2026 17:01:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776099689; bh=ZgFs1mrujHw1Vz2Nbuzyy/X+GKLLVLbwZTyxgqRj8v8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=o849Sa9gvqNrRvwjzbfCusU3zD2YmaiRZSmWtiP9DBDDp0jhebAcKB2JXrwgcHC64 VFlg43pETKL7s0SFxcf01sDfqKXIBOxz4HmCBje+omg295f4GtUq99KuOW0q408ne5 fiEx3eAuE0r92QVR1CUDSI3Gc9qEtDb5nmjOwhjE= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Qualys Security Advisory , Salvatore Bonaccorso , Georgia Garcia , Cengiz Can , John Johansen Subject: [PATCH 5.10 437/491] apparmor: fix unprivileged local user can do privileged policy management Date: Mon, 13 Apr 2026 18:01:22 +0200 Message-ID: <20260413155835.387881935@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413155819.042779211@linuxfoundation.org> References: <20260413155819.042779211@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: John Johansen commit 6601e13e82841879406bf9f369032656f441a425 upstream. Backport for api changes introduced in - 90c436a64a6e ("apparmor: pass cred through to audit info.") - 92de220a7f33 ("apparmor: update policy capable checks to use a label") An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by passing the opened fd to a privileged process, and getting the privileged process to write to the interface. This does require a privileged target that can be manipulated to do the write for the unprivileged process, but once such access is achieved full policy management is possible and all the possible implications that implies: removing confinement, DoS of system or target applications by denying all execution, by-passing the unprivileged user namespace restriction, to exploiting kernel bugs for a local privilege escalation. The policy management interface can not have its permissions simply changed from 0666 to 0600 because non-root processes need to be able to load policy to different policy namespaces. Instead ensure the task writing the interface has privileges that are a subset of the task that opened the interface. This is already done via policy for confined processes, but unconfined can delegate access to the opened fd, by-passing the usual policy check. Fixes: b7fd2c0340eac ("apparmor: add per policy ns .load, .replace, .remove interface files") Reported-by: Qualys Security Advisory Tested-by: Salvatore Bonaccorso Reviewed-by: Georgia Garcia Reviewed-by: Cengiz Can Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman --- security/apparmor/apparmorfs.c | 19 +++++++++++------- security/apparmor/include/policy.h | 5 ++-- security/apparmor/policy.c | 39 +++++++++++++++++++++++++++++++++++-- 3 files changed, 52 insertions(+), 11 deletions(-) --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -409,7 +409,8 @@ static struct aa_loaddata *aa_simple_wri } static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, - loff_t *pos, struct aa_ns *ns) + loff_t *pos, struct aa_ns *ns, + const struct cred *ocred) { struct aa_loaddata *data; struct aa_label *label; @@ -420,7 +421,7 @@ static ssize_t policy_update(u32 mask, c /* high level check about policy management - fine grained in * below after unpack */ - error = aa_may_manage_policy(label, ns, mask); + error = aa_may_manage_policy(current_cred(), label, ns, ocred, mask); if (error) goto end_section; @@ -441,7 +442,8 @@ static ssize_t profile_load(struct file loff_t *pos) { struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); - int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns); + int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns, + f->f_cred); aa_put_ns(ns); @@ -459,7 +461,7 @@ static ssize_t profile_replace(struct fi { struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY, - buf, size, pos, ns); + buf, size, pos, ns, f->f_cred); aa_put_ns(ns); return error; @@ -483,7 +485,8 @@ static ssize_t profile_remove(struct fil /* high level check about policy management - fine grained in * below after unpack */ - error = aa_may_manage_policy(label, ns, AA_MAY_REMOVE_POLICY); + error = aa_may_manage_policy(current_cred(), label, ns, + f->f_cred, AA_MAY_REMOVE_POLICY); if (error) goto out; @@ -1796,7 +1799,8 @@ static int ns_mkdir_op(struct inode *dir int error; label = begin_current_label_crit_section(); - error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY); + error = aa_may_manage_policy(current_cred(), label, NULL, NULL, + AA_MAY_LOAD_POLICY); end_current_label_crit_section(label); if (error) return error; @@ -1845,7 +1849,8 @@ static int ns_rmdir_op(struct inode *dir int error; label = begin_current_label_crit_section(); - error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY); + error = aa_may_manage_policy(current_cred(), label, NULL, NULL, + AA_MAY_LOAD_POLICY); end_current_label_crit_section(label); if (error) return error; --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -303,7 +303,8 @@ static inline int AUDIT_MODE(struct aa_p bool policy_view_capable(struct aa_ns *ns); bool policy_admin_capable(struct aa_ns *ns); -int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns, - u32 mask); +int aa_may_manage_policy(const struct cred *subj_cred, + struct aa_label *label, struct aa_ns *ns, + const struct cred *ocred, u32 mask); #endif /* __AA_POLICY_H */ --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -695,14 +695,44 @@ bool policy_admin_capable(struct aa_ns * return policy_view_capable(ns) && capable && !aa_g_lock_policy; } +static bool is_subset_of_obj_privilege(const struct cred *cred, + struct aa_label *label, + const struct cred *ocred) +{ + if (cred == ocred) + return true; + + if (!aa_label_is_subset(label, cred_label(ocred))) + return false; + /* don't allow crossing userns for now */ + if (cred->user_ns != ocred->user_ns) + return false; + if (!cap_issubset(cred->cap_inheritable, ocred->cap_inheritable)) + return false; + if (!cap_issubset(cred->cap_permitted, ocred->cap_permitted)) + return false; + if (!cap_issubset(cred->cap_effective, ocred->cap_effective)) + return false; + if (!cap_issubset(cred->cap_bset, ocred->cap_bset)) + return false; + if (!cap_issubset(cred->cap_ambient, ocred->cap_ambient)) + return false; + return true; +} + + /** * aa_may_manage_policy - can the current task manage policy + * @subj_cred; subjects cred * @label: label to check if it can manage policy - * @op: the policy manipulation operation being done + * @ns: namespace being managed by @label (may be NULL if @label's ns) + * @ocred: object cred if request is coming from an open object + * @mask: contains the policy manipulation operation being done * * Returns: 0 if the task is allowed to manipulate policy else error */ -int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns, u32 mask) +int aa_may_manage_policy(const struct cred *subj_cred, struct aa_label *label, + struct aa_ns *ns, const struct cred *ocred, u32 mask) { const char *op; @@ -718,6 +748,11 @@ int aa_may_manage_policy(struct aa_label return audit_policy(label, op, NULL, NULL, "policy_locked", -EACCES); + if (ocred && !is_subset_of_obj_privilege(subj_cred, label, ocred)) + return audit_policy(label, op, NULL, NULL, + "not privileged for target profile", + -EACCES); + if (!policy_admin_capable(ns)) return audit_policy(label, op, NULL, NULL, "not policy admin", -EACCES);