AppArmor

aa-logprof crash if (I)nherit'ing non-existing binary

Bug #1379874 reported by Christian Boltz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Low
Christian Boltz
AppArmor 2.11
2.10
Fix Released
Undecided
Christian Boltz
AppArmor 2.10.2
2.9
Fix Released
Undecided
Christian Boltz
AppArmor 2.9.4

Bug Description

Imagine someone sent you his audit.log and asked you to update a profile for him...

Here's a hand-modified short audit.log:

# cat audit-log-inherit-nonexisting
type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"

# aa-logprof -f audit-log-inherit-nonexisting
Reading log entries from audit-log-inherit-nonexisting.
Aktualisiere AppArmor-Profile in /etc/apparmor.d.

Profil: /sbin/klogd
Ausführen: /does/not/exist
Schweregrad: unbekannt

(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
    ... choose (I)nherit ...
Traceback (most recent call last):
  File "aa-logprof", line 52, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 2267, in do_logprof_pass
    handle_children('', '', root)
  File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 1358, in handle_children
    hashbang = head(exec_target)
  File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 314, in head
    raise AppArmorException(_('Unable to read first line from %s: File Not Found') % file)
apparmor.common.AppArmorException: 'Unable to read first line from /does/not/exist: File Not Found'

Tags: aa-tools
Jamie Strandboge (jdstrand)
Changed in apparmor:
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Christian Boltz (cboltz) wrote :

I can no longer reproduce this crash for inherit (probably since r3261, which introduced get_interpreter_and_abstraction()), so the original bug is fixed in 2.10.1.

However, I found some new crashes using this log line:
- aa-logprof crashes when using (C)hild
- aa-logprof crashes when using (I)nherit and then (V)iev differences
- aa-logprof crashes when using (P)rofile and then (V)iev differences (also, no profile is created, and there's no message saying that)

This might be related to the profile name - the log has "/sbin/klogd", but the profile is named "klogd" and has a path attachment.

(C)hild profile:

Traceback (most recent call last):
  File "aa-logprof", line 50, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 2208, in do_logprof_pass
    handle_children('', '', root)
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 1515, in handle_children
    filelist[file_name]['profiles'][profile][hat] = True
TypeError: unhashable type: 'collections.defaultdict'

(V)iew changes:

Traceback (most recent call last):
  File "aa-logprof", line 50, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 2225, in do_logprof_pass
    save_profiles()
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 2305, in save_profiles
    newprofile = serialize_profile_from_old_profile(aa[which], which, '')
  File "/home/cb/apparmor/HEAD-clean/utils/apparmor/aa.py", line 3778, in serialize_profile_from_old_profile
    if write_prof_data[hat]['capability'].is_covered(cap, True, True):
AttributeError: 'collections.defaultdict' object has no attribute 'is_covered'

Revision history for this message
Christian Boltz (cboltz) wrote :

I just re-tested this with the FileRule patch series applied.

I was able to reproduce the initial issue (but with a completely different crash message). It turned out to need a special precondition: the log event must specify a non-existing profile _and_ a file with the expected filename must exist (/etc/apparmor.d/sbin.klogd, which contains "profile klogd ... {").

The patch
    [39/38] Ignore exec events for non-existing profiles
of the FileRule series fixes this crash.

With this patch applied, the things described in comment #1 also work without problems (tested in bzr trunk with profile="klogd" in the log line because exec events for non-existing profiles get ignored now).

Changed in apparmor:
status: Triaged → In Progress
milestone: none → 2.11
Revision history for this message
Christian Boltz (cboltz) wrote :

Fixed in trunk r3551, 2.10 branch r3350 and 2.9 branch r3022.

To be clear after mixing up several issues in one bugreport - these revisions add the "[39/38] Ignore exec events for non-existing profiles" patch.

Changed in apparmor:
assignee: nobody → Christian Boltz (cboltz)
status: In Progress → Fix Committed
Christian Boltz (cboltz)
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.