From 43e2f7c9c63daa4ae436b068e89c48b5d0944f02 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Wed, 17 Nov 2021 14:32:09 +1030 Subject: [PATCH] [PATCH 12/36] cmd/libsnap-confine-private: Don't fail open on apparmor confinement aa_is_enabled() can be made to fail by setting low open file limits or similar - in this case, snap-confine would continue executing as though it were unconfined. However, this can be detected by checking errno more closely - so only fail open when we know AppArmor either is not supported or has been explicitly disabled at boot and otherwise fail closed. Signed-off-by: Alex Murray Gbp-Pq: Topic cve202144730 Gbp-Pq: Name 0012-cmd-libsnap-confine-private-Don-t-fail-open-on-appar.patch --- cmd/libsnap-confine-private/apparmor-support.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/cmd/libsnap-confine-private/apparmor-support.c b/cmd/libsnap-confine-private/apparmor-support.c index eac0912d..9930e421 100644 --- a/cmd/libsnap-confine-private/apparmor-support.c +++ b/cmd/libsnap-confine-private/apparmor-support.c @@ -53,18 +53,24 @@ void sc_init_apparmor_support(struct sc_apparmor *apparmor) debug ("apparmor is available on the system but has been disabled at boot"); break; - case ENOENT: - debug - ("apparmor is available but the interface but the interface is not available"); - break; case EPERM: // NOTE: fall-through case EACCES: debug ("insufficient permissions to determine if apparmor is enabled"); - break; + // since snap-confine is setuid root this should + // never happen so likely someone is trying to + // manipulate our execution environment - fail hard + + // fall-through + case ENOENT: + case ENOMEM: default: - debug("apparmor is not enabled: %s", strerror(errno)); + // this shouldn't happen under normal usage so it + // is possible someone is trying to manipulate our + // execution environment - fail hard + die("aa_is_enabled() failed unexpectedly (%s)", + strerror(errno)); break; } apparmor->is_confined = false; -- 2.30.2