aa-cleanprof drops audit modifier incorrectly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Christian Boltz |
Bug Description
ubuntu@
# Last Modified: Mon Apr 13 13:19:19 2015
#include <tunables/global>
/bin/true {
#include <abstractions/base>
audit /bin/true ix,
capability setuid,
/bin/true ix,
}
ubuntu@
Deleted 0 rules.
= Changed Local Profiles =
The local profile for /bin/true in file /home/ubuntu/
(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /bin/true.
cat: write error: Broken pipe
ubuntu@
# Last Modified: Mon Apr 13 13:27:10 2015
#include <tunables/global>
/bin/true {
#include <abstractions/base>
capability setuid,
/bin/true ix,
}
Note that the one permission remaining for /bin/true ix, is missing the audit keyword.
Changed in apparmor: | |
status: | Fix Committed → Fix Released |
With a slightly different test profile, I get:
/usr/bin/true {
- /bin/false ix,
- audit /bin/false ix,
- audit /bin/true ix,
- /bin/true ix,
+ audit /bin/false ix,
+ /bin/true ix,
}
At the beginning of cleanprofile.py delete_ path_duplicates (), we have:
profile[ allow][ 'path'] { <function hasher at 0x7f32d7650ae8>, {'mode': {'x', 'i', '::i', '::x'}, 'audit': set()}), <function hasher at 0x7f32d7650ae8>, {'mode': {'x', 'i', '::i', '::x'}, 'audit': {'x', 'i', '::x', '::i'}})
'/bin/true': defaultdict(
'/bin/false': defaultdict(
}
profile_ other[allow] ['path' ] is exactly the same.
This seems to be a "last one wins" :-( and is probably a bug in parsing the profiles, not in aa-cleanprof / cleanprof.py itsself. This also means the audit keyword could (untested!) get lost in a normal aa-logprof run.