AppArmor

aa-cleanprof drops audit modifier incorrectly

Bug #1443642 reported by Steve Beattie on 2015-04-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Fix Released	Undecided	Christian Boltz	AppArmor 2.11

Bug Description

ubuntu@vivid-amd64:~/bzr/apparmor/utils$ cat ~/tmp/aa-test/bin.true
# Last Modified: Mon Apr 13 13:19:19 2015
#include <tunables/global>

/bin/true {
#include <abstractions/base>

audit /bin/true ix,

capability setuid,

/bin/true ix,

}
ubuntu@vivid-amd64:~/bzr/apparmor/utils$ PYTHONPATH=$PWD ./aa-cleanprof -d ~/tmp/aa-test/ /bin/true

Deleted 0 rules.

= Changed Local Profiles =

The local profile for /bin/true in file /home/ubuntu/tmp/aa-test/bin.true was changed. Would you like to save it?

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /bin/true.
cat: write error: Broken pipe
ubuntu@vivid-amd64:~/bzr/apparmor/utils$ cat ~/tmp/aa-test/bin.true
# Last Modified: Mon Apr 13 13:27:10 2015
#include <tunables/global>

/bin/true {
#include <abstractions/base>

capability setuid,

/bin/true ix,

}

Note that the one permission remaining for /bin/true ix, is missing the audit keyword.

Tags:

Revision history for this message

Christian Boltz (cboltz) wrote on 2015-05-25:

With a slightly different test profile, I get:

/usr/bin/true {
- /bin/false ix,
- audit /bin/false ix,
- audit /bin/true ix,
- /bin/true ix,
+ audit /bin/false ix,
+ /bin/true ix,
}

At the beginning of cleanprofile.py delete_path_duplicates(), we have:

profile[allow]['path'] {
'/bin/true': defaultdict(<function hasher at 0x7f32d7650ae8>, {'mode': {'x', 'i', '::i', '::x'}, 'audit': set()}),
'/bin/false': defaultdict(<function hasher at 0x7f32d7650ae8>, {'mode': {'x', 'i', '::i', '::x'}, 'audit': {'x', 'i', '::x', '::i'}})
}

profile_other[allow]['path'] is exactly the same.

This seems to be a "last one wins" :-( and is probably a bug in parsing the profiles, not in aa-cleanprof / cleanprof.py itsself. This also means the audit keyword could (untested!) get lost in a normal aa-logprof run.

Revision history for this message

Christian Boltz (cboltz) wrote on 2016-08-14:

This is fixed with the FileRule patch series I posted to the mailinglist two days ago. FileRule uses a completely different method to store file rules, and overwriting parameters of an existing rule can't happen unless doing someting totally and obviously crazy in the code.

I also confirmed by manual testing that aa-cleanprof will keep the audit rule.

Nevertheless, a second pair of eyes never hurts. Can you please test and report back?

Changed in apparmor:
milestone:	none → 2.11
status:	New → In Progress

Revision history for this message

Christian Boltz (cboltz) wrote on 2016-10-02:

I commited the FileRule series yesterday, which means this is fixed in bzr trunk.

Changed in apparmor:
status:	In Progress → Fix Committed
assignee:	nobody → Christian Boltz (cboltz)

Christian Boltz (cboltz) on 2017-01-10

Changed in apparmor:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.