[opensuse-kernel] Question about Apparmor kernel code

Hi All, I would like to fix Bug 551799 - Dosemu doesn't start except from root account which is caused by Apparmor code in kernel. It is unclear for me how Apparmor kernel code for openSUSE 11.3 is maintained. Please, can you anybody give me a hint. Regards Jiri -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kernel+help@opensuse.org

On 19.9.2010 12:09, Jiri Malak wrote:
I would like to fix Bug 551799 - Dosemu doesn't start except from root account which is caused by Apparmor code in kernel. It is unclear for me how Apparmor kernel code for openSUSE 11.3 is maintained.
It is part of the opensuse kernel. Start with $ git clone git://gitorious.org/opensuse/kernel.git $ git checkout -b openSUSE-11.3 origin/openSUSE-11.3 The apparmor code is in security/apparmor/. Once you have a patch, it needs to be added to the patch series maintained in git://gitorious.org/opensuse/kernel-source.git (the kernel.git repo is auto-generated from here), but you can as well post the patch here and someone else will add it to the kernel-source.git repository. Good luck, Michal -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kernel+help@opensuse.org

----- Original Message ----- From: "Michal Marek" <mmarek@suse.cz> To: <jiri@malakovi.cz> Cc: <opensuse-kernel@opensuse.org> Sent: Monday, September 20, 2010 12:17 PM Subject: Re: [opensuse-kernel] Question about Apparmor kernel code
On 19.9.2010 12:09, Jiri Malak wrote:
I would like to fix Bug 551799 - Dosemu doesn't start except from root account which is caused by Apparmor code in kernel. It is unclear for me how Apparmor kernel code for openSUSE 11.3 is maintained.
It is part of the opensuse kernel. Start with $ git clone git://gitorious.org/opensuse/kernel.git $ git checkout -b openSUSE-11.3 origin/openSUSE-11.3 The apparmor code is in security/apparmor/. Once you have a patch, it needs to be added to the patch series maintained in git://gitorious.org/opensuse/kernel-source.git (the kernel.git repo is auto-generated from here), but you can as well post the patch here and someone else will add it to the kernel-source.git repository.
Good luck, Michal
Michal, Thanks for your info. I am new to git that I need a litle study this CVS. Thanks Jiri -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kernel+help@opensuse.org

On Sun, 19 Sep 2010 12:09:13 +0200, Jiri Malak wrote:
I would like to fix Bug 551799 - Dosemu doesn't start except from root account which is caused by Apparmor code in kernel.
This should be solved by setting CONFIG_LSM_MMAP_MIN_ADDR to 0, shouldn't it? Jeff, what do you think? Currently, it's 4096 in openSUSE-11.3 branch. Thanks, Jiri -- Jiri Benc SUSE Labs -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kernel+help@opensuse.org

On 09/20/2010 07:48 AM, Jiri Benc wrote:
On Sun, 19 Sep 2010 12:09:13 +0200, Jiri Malak wrote:
I would like to fix Bug 551799 - Dosemu doesn't start except from root account which is caused by Apparmor code in kernel.
This should be solved by setting CONFIG_LSM_MMAP_MIN_ADDR to 0, shouldn't it?
Jeff, what do you think? Currently, it's 4096 in openSUSE-11.3 branch.
Yeah, I'm fine lowering the LSM_MMAP_MIN_ADDR just as long as the DEFAULT_MMAP_MIN_ADDR stays where it is. I've adjusted this in 11.3 and master. -Jeff -- Jeff Mahoney SUSE Labs -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kernel+help@opensuse.org

----- Original Message ----- From: "Jiri Benc" <jbenc@suse.cz> To: <opensuse-kernel@opensuse.org> Cc: <jiri@malakovi.cz>; "Jeff Mahoney" <jeffm@suse.com> Sent: Monday, September 20, 2010 1:48 PM Subject: Re: [opensuse-kernel] Question about Apparmor kernel code
On Sun, 19 Sep 2010 12:09:13 +0200, Jiri Malak wrote:
I would like to fix Bug 551799 - Dosemu doesn't start except from root account which is caused by Apparmor code in kernel.
This should be solved by setting CONFIG_LSM_MMAP_MIN_ADDR to 0, shouldn't it?
Jeff, what do you think? Currently, it's 4096 in openSUSE-11.3 branch.
It is simplest fix but it circumvents security rules. If I understand correctly this problem then it should be handled by sysctl command (by root) to setup mmap_min_addr = 0 and by Apparmor profile capability CAP_ROWIO. Jiri -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kernel+help@opensuse.org

On Mon, 20 Sep 2010 21:27:44 +0200, Jiri Malak wrote:
It is simplest fix but it circumvents security rules. If I understand correctly this problem then it should be handled by sysctl command (by root) to setup mmap_min_addr = 0 and by Apparmor profile capability CAP_ROWIO.
The other option you have is to fix dosemu, of course. Jiri -- Jiri Benc SUSE Labs -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kernel+help@opensuse.org
participants (5)
-
Jeff Mahoney
-
Jiri Benc
-
Jiri Malak
-
Jiri Malak
-
Michal Marek