)]}' { "commit": "cb2a70cd852b6cbeb4386055554ddb62cfcec439", "tree": "6ea8699f4b9820328fc9b6c45f25ce608e70a034", "parents": [ "390d86854b7dc65ae2b66e2566e60ba9f31974e4" ], "author": { "name": "John Johansen", "email": "john.johansen@canonical.com", "time": "Fri Nov 07 08:36:04 2025 -0800" }, "committer": { "name": "Robert Kolchmeyer", "email": "rkolchmeyer@google.com", "time": "Fri Mar 13 13:34:30 2026 -0700" }, "message": "apparmor: fix unprivileged local user can do privileged policy management\n\ncommit 6601e13e82841879406bf9f369032656f441a425 upstream.\n\nAn unprivileged local user can load, replace, and remove profiles by\nopening the apparmorfs interfaces, via a confused deputy attack, by\npassing the opened fd to a privileged process, and getting the\nprivileged process to write to the interface.\n\nThis does require a privileged target that can be manipulated to do\nthe write for the unprivileged process, but once such access is\nachieved full policy management is possible and all the possible\nimplications that implies: removing confinement, DoS of system or\ntarget applications by denying all execution, by-passing the\nunprivileged user namespace restriction, to exploiting kernel bugs for\na local privilege escalation.\n\nThe policy management interface can not have its permissions simply\nchanged from 0666 to 0600 because non-root processes need to be able\nto load policy to different policy namespaces.\n\nInstead ensure the task writing the interface has privileges that\nare a subset of the task that opened the interface. This is already\ndone via policy for confined processes, but unconfined can delegate\naccess to the opened fd, by-passing the usual policy check.\n\nBUG\u003dNone\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed the \"CrackArmor\" vulnerability in the Linux kernel.\n\ncos-patch: security-high\nFixes: b7fd2c0340eac (\"apparmor: add per policy ns .load, .replace, .remove interface files\")\nReported-by: Qualys Security Advisory \u003cqsa@qualys.com\u003e\nTested-by: Salvatore Bonaccorso \u003ccarnil@debian.org\u003e\nReviewed-by: Georgia Garcia \u003cgeorgia.garcia@canonical.com\u003e\nReviewed-by: Cengiz Can \u003ccengiz.can@canonical.com\u003e\nChange-Id: Ibc8c76cf2669f2d670ded67a4b112403c2e2e51a\nSigned-off-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n(cherry picked from commit 0fc63dd9170643d15c25681fca792539e23f4640)\nSigned-off-by: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/137848\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: He Gao \u003chegao@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "584b40718ecb70993c9b02a16e6dbeda0184c9e5", "old_mode": 33188, "old_path": "security/apparmor/apparmorfs.c", "new_id": "ae5bb2ed0dc355433bd7bd341c695ca9c3e5d7f4", "new_mode": 33188, "new_path": "security/apparmor/apparmorfs.c" }, { "type": "modify", "old_id": "75088cc310b677f7fddf95215965049fa9ee12bf", "old_mode": 33188, "old_path": "security/apparmor/include/policy.h", "new_id": "b8c35972883ce70e9347b4d92ff7fb311089a58e", "new_mode": 33188, "new_path": "security/apparmor/include/policy.h" }, { "type": "modify", "old_id": "9a4e29cdd8c0c7521d45a9ae0768fd980b7a987a", "old_mode": 33188, "old_path": "security/apparmor/policy.c", "new_id": "29f1cfd75090cde44c77c858a36a88390c4d8f0c", "new_mode": 33188, "new_path": "security/apparmor/policy.c" } ] }