AppArmor

aa_status don't work with confined init (before default profile reload).

Bug #1691761 reported by Mikhail Kurinnoi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

I play around confined init (disabled SECURITY_APPARMOR_UNCONFINED_INIT kernel config option). And faced one issue connected to apparmor utils.

apparmor utils v 2.11.0

---------------------------------------------------------------------

1) Kernel configured with disabled SECURITY_APPARMOR_UNCONFINED_INIT.
2) default profile not reloaded by user's default profile.
3) # ps aux -Z | grep "default"
   ...
default (-) root 2 0.0 0.0 0 0 ? S 16:16 0:00 [kthreadd]
default (-) root 3 0.0 0.0 0 0 ? S 16:16 0:00 [ksoftirqd/0]
   ...
4) # aa-status

Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.4/aa-status", line 255, in <module>
    commands[cmd]()
  File "/usr/lib/python-exec/python3.4/aa-status", line 59, in cmd_verbose
    profiles = get_profiles()
  File "/usr/lib/python-exec/python3.4/aa-status", line 149, in get_profiles
    profiles[match.group(1)] = match.group(2)
AttributeError: 'NoneType' object has no attribute 'group'

---------------------------------------------------------------------

1) Kernel configured with disabled SECURITY_APPARMOR_UNCONFINED_INIT.
2) default profile reloaded by user's default profile, for example:
profile default flags=(complain) {}
3) # ps aux -Z | grep "default"
   ...
default (complain) root 2 0.0 0.0 0 0 ? S 16:16 0:00 [kthreadd]
default (complain) root 3 0.0 0.0 0 0 ? S 16:16 0:00 [ksoftirqd/0]
   ...
4) # aa-status
  ...
142 processes are in complain mode.
   default (2)
   default (3)
  ...

See original description
Tags: aa-tools
Mikhail Kurinnoi (viewizard)
description: updated
Revision history for this message
Christian Boltz (cboltz) wrote :

Looks like /sys/kernel/security/apparmor/profiles has unexpected content.

Please run (in the state when aa-status errors out)
    cat /sys/kernel/security/apparmor/profiles > /tmp/aa_broken_profiles
and attach that file.

tags: added: aa-tools
Revision history for this message
Mikhail Kurinnoi (viewizard) wrote :

I did
# cat /sys/kernel/security/apparmor/profiles > /tmp/aa_broken_profiles

File attached.

But this is only one line file "default (-)", since no profiles are loaded (I don't load profiles for test purposes). I mean, I can load profiles or not, but issue will remain till confined init are used without default profile reloaded by custom one. As soon, as I reload default profile - all is fine with aa_status usage.

Revision history for this message
Christian Boltz (cboltz) wrote :

That already explains it - the regex doesn't match the "(-)", but the code expects that the regex always matches ;-)

Can you edit aa-status a bit? Search for (should be line 148)
        match = re.search("^([^\(]+)\s+\((\w+)\)$", p)
and replace it with
        match = re.search("^([^\(]+)\s+\((\w+|-)\)$", p)
(the added part is the "|-" near the end of the regex)

This should prevent the crash.

The interesting question is how aa-status will behave because it only expects "enforce" and "complain", but not "-". From a quick look at the code, I don't expect serious problems - but it might look like it can't count (I wouldn't be surprised if it will say "1 profile loaded" and then print an empty list of profiles).

Revision history for this message
Mikhail Kurinnoi (viewizard) wrote :

I did changes into aa-status (in line 148, as you mentioned above). This fixed the issue for me.

# aa-status
apparmor module is loaded.
1 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

I also tested it with loaded profiles (without default profile reload), and all looks good.

Is it possible to add some output like "N processes are confined by default profile." (with list of processes) or something like this in case of internal default profile detected? Or just warning, that default, non reloaded profile are used?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.