AppArmor

aa-complain only works if profile is named precisely for executable

Bug #1128468 reported by Ned Batchelder
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Medium
Unassigned
AppArmor 2.9.2

Bug Description

I made a new executable with Python virtualenv, and tried to set it to complain mode, but it ended up in enforce mode:

~ $ pwd
/home/ned
~ $ virtualenv python-secured
New python executable in python-secured/bin/python
Installing distribute.............................................................................................................................................................................................done.
Installing pip...............done.
~ $ pushd /etc/apparmor.d/
/etc/apparmor.d ~ /etc/apparmor.d
/etc/apparmor.d $ sudo vim home.ned.python-secured
[sudo] password for ned:
/etc/apparmor.d $ cat home.ned.python-secured

#include <tunables/global>

/home/ned/python-secured/bin/python {
  #include <abstractions/base>

  /home/ned/python-secured/bin/python mr,
  /home/ned/python-secured/** r,
  /usr/include/python2.7/** r,
  /usr/local/lib/python2.7/** r,
  /usr/lib/python2.7/** rix,

  /tmp/** rix,
}
/etc/apparmor.d $ sudo apparmor_status
apparmor module is loaded.
24 profiles are loaded.
24 profiles are in enforce mode.
   /home/ned/mitx_all/python-sandbox/bin/python
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/bin/python-sandbox
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper
   /usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper//chromium_browser
   /usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper
   /usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper//chromium_browser
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/sbin/cupsd
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
0 profiles are in complain mode.
4 processes have profiles defined.
4 processes are in enforce mode.
   /sbin/dhclient (21292)
   /usr/lib/telepathy/mission-control-5 (2130)
   /usr/sbin/cupsd (684)
   /usr/sbin/mysqld (889)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
/etc/apparmor.d $ sudo aa-complain /home/ned/python-secured/bin/python
/etc/apparmor.d $ sudo apparmor_status
apparmor module is loaded.
24 profiles are loaded.
24 profiles are in enforce mode.
   /home/ned/mitx_all/python-sandbox/bin/python
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/bin/python-sandbox
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper
   /usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper//chromium_browser
   /usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper
   /usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper//chromium_browser
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/sbin/cupsd
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
0 profiles are in complain mode.
4 processes have profiles defined.
4 processes are in enforce mode.
   /sbin/dhclient (21292)
   /usr/lib/telepathy/mission-control-5 (2130)
   /usr/sbin/cupsd (684)
   /usr/sbin/mysqld (889)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
/etc/apparmor.d $ sudo invoke-rc.d apparmor reload
 * Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
                                                                                                                                                                                             [ OK ]
/etc/apparmor.d $ sudo apparmor_status
apparmor module is loaded.
25 profiles are loaded.
25 profiles are in enforce mode.
   /home/ned/mitx_all/python-sandbox/bin/python
   /home/ned/python-secured/bin/python
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/bin/python-sandbox
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper
   /usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper//chromium_browser
   /usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper
   /usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper//chromium_browser
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/sbin/cupsd
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
0 profiles are in complain mode.
4 processes have profiles defined.
4 processes are in enforce mode.
   /sbin/dhclient (21292)
   /usr/lib/telepathy/mission-control-5 (2130)
   /usr/sbin/cupsd (684)
   /usr/sbin/mysqld (889)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
/etc/apparmor.d $

The problem was diagnosed by cboltz in the #apparmor IRC channel: my profile was named incorrectly. Once I named it to home.ned.python-secured.bin.python, it worked:

/etc/apparmor.d $ sudo mv home.ned.python-secured home.ned.python-secured.bin.python
/etc/apparmor.d $ sudo invoke-rc.d apparmor reload
 * Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
                                                                                                                                                                                             [ OK ]
/etc/apparmor.d $ sudo aa-complain /home/ned/python-secured/bin/python
Setting /home/ned/python-secured/bin/python to complain mode.
/etc/apparmor.d $ sudo apparmor_status
apparmor module is loaded.
25 profiles are loaded.
24 profiles are in enforce mode.
   /home/ned/mitx_all/python-sandbox/bin/python
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/bin/python-sandbox
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper
   /usr/lib/i386-linux-gnu/lightdm-remote-session-freerdp/freerdp-session-wrapper//chromium_browser
   /usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper
   /usr/lib/i386-linux-gnu/lightdm-remote-session-uccsconfigure/uccsconfigure-session-wrapper//chromium_browser
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/lib/telepathy/telepathy-*//sanitized_helper
   /usr/sbin/cupsd
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
1 profiles are in complain mode.
   /home/ned/python-secured/bin/python
4 processes have profiles defined.
4 processes are in enforce mode.
   /sbin/dhclient (21292)
   /usr/lib/telepathy/mission-control-5 (2130)
   /usr/sbin/cupsd (684)
   /usr/sbin/mysqld (889)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

It was not at all clear to me that the actual filename of the profile in apparmor.d mattered, since the profile contains the file path to the executable within it. And most of AppArmor works no matter what the filename.

At the very least, aa-complain could have complained! :)

Tags: aa-tools
Seth Arnold (seth-arnold)
Changed in apparmor:
status: New → Confirmed
Revision history for this message
Christian Boltz (cboltz) wrote :

Short status update: with the new python utils, I get at least an error message:

python3 aa-complain true # "hidden" in /etc/apparmor.d/some.profile
Profile for /usr/bin/true not found, skipping

For comparison: aa-cleanprof finds the profile.

Jamie Strandboge (jdstrand)
tags: added: aa-tools
Changed in apparmor:
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This still affects 2.9.

Revision history for this message
Christian Boltz (cboltz) wrote :

Just tested - this was fixed in bzr (trunk and 2.9 branch) with one of my patches in the last weeks. 2.9.2 will contain the fixed aa-complain.

Changed in apparmor:
status: Confirmed → Fix Committed
milestone: none → 2.9.2
Steve Beattie (sbeattie)
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.