aa-cleanprof drops audit modifier incorrectly

Bug #1443642 reported by Steve Beattie
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Christian Boltz

Bug Description

ubuntu@vivid-amd64:~/bzr/apparmor/utils$ cat ~/tmp/aa-test/bin.true
# Last Modified: Mon Apr 13 13:19:19 2015
#include <tunables/global>

/bin/true {
  #include <abstractions/base>

  audit /bin/true ix,

  capability setuid,

  /bin/true ix,

}
ubuntu@vivid-amd64:~/bzr/apparmor/utils$ PYTHONPATH=$PWD ./aa-cleanprof -d ~/tmp/aa-test/ /bin/true

Deleted 0 rules.

= Changed Local Profiles =

The local profile for /bin/true in file /home/ubuntu/tmp/aa-test/bin.true was changed. Would you like to save it?

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /bin/true.
cat: write error: Broken pipe
ubuntu@vivid-amd64:~/bzr/apparmor/utils$ cat ~/tmp/aa-test/bin.true
# Last Modified: Mon Apr 13 13:27:10 2015
#include <tunables/global>

/bin/true {
  #include <abstractions/base>

  capability setuid,

  /bin/true ix,

}

Note that the one permission remaining for /bin/true ix, is missing the audit keyword.

Tags: aa-tools
Revision history for this message
Christian Boltz (cboltz) wrote :

With a slightly different test profile, I get:

 /usr/bin/true {
- /bin/false ix,
- audit /bin/false ix,
- audit /bin/true ix,
- /bin/true ix,
+ audit /bin/false ix,
+ /bin/true ix,
 }

At the beginning of cleanprofile.py delete_path_duplicates(), we have:

profile[allow]['path'] {
    '/bin/true': defaultdict(<function hasher at 0x7f32d7650ae8>, {'mode': {'x', 'i', '::i', '::x'}, 'audit': set()}),
    '/bin/false': defaultdict(<function hasher at 0x7f32d7650ae8>, {'mode': {'x', 'i', '::i', '::x'}, 'audit': {'x', 'i', '::x', '::i'}})
}

profile_other[allow]['path'] is exactly the same.

This seems to be a "last one wins" :-( and is probably a bug in parsing the profiles, not in aa-cleanprof / cleanprof.py itsself. This also means the audit keyword could (untested!) get lost in a normal aa-logprof run.

Revision history for this message
Christian Boltz (cboltz) wrote :

This is fixed with the FileRule patch series I posted to the mailinglist two days ago. FileRule uses a completely different method to store file rules, and overwriting parameters of an existing rule can't happen unless doing someting totally and obviously crazy in the code.

I also confirmed by manual testing that aa-cleanprof will keep the audit rule.

Nevertheless, a second pair of eyes never hurts. Can you please test and report back?

Changed in apparmor:
milestone: none → 2.11
status: New → In Progress
Revision history for this message
Christian Boltz (cboltz) wrote :

I commited the FileRule series yesterday, which means this is fixed in bzr trunk.

Changed in apparmor:
status: In Progress → Fix Committed
assignee: nobody → Christian Boltz (cboltz)
Christian Boltz (cboltz)
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.