Linux Kernel AppArmor Privilege Escalation Vulnerability via Confused Deputy Attack

A vulnerability in the Linux kernel's AppArmor implementation allows unprivileged local users to perform privileged policy management. This is achieved by exploiting the AppArmor filesystem interfaces through a confused deputy attack, where the user passes an opened file descriptor to a privileged process that then writes to the AppArmor interface. The exploitation requires a manipulatable privileged target process. Once successful, the attacker can fully manage AppArmor policies, potentially removing confinement, causing denial-of-service to applications, bypassing user namespace restrictions, or exploiting kernel vulnerabilities for local privilege escalation.

Impact

Successful exploitation allows unprivileged users to gain full control over AppArmor policy management, leading to potential privilege escalation and manipulation of application confinement.

Reproduction

To reproduce this vulnerability, an unprivileged local user must open an AppArmor filesystem interface and obtain a file descriptor. This descriptor is then passed to a privileged process, which is manipulated to write to the AppArmor interface, thereby allowing the unprivileged user to load, replace, or remove AppArmor profiles.

Remediation

Users should ensure that the task writing to the AppArmor interface has privileges that are a subset of the task that opened the interface. This vulnerability has been addressed in the Linux kernel.