Ubuntu
apparmor package

  1. Bug #1045081
  2. Activity log

Activity log for bug #1045081

Date Who What changed Old value New value Message
2012-09-02 20:11:47 Jamie Strandboge bug added bug
2012-09-02 20:11:47 Jamie Strandboge attachment added apparmor.tar.gz https://bugs.launchpad.net/bugs/1045081/+attachment/3289458/+files/apparmor.tar.gz
2012-09-02 20:12:07 Jamie Strandboge summary child Cx transition to grandchild transition silently fails, and child Px to sibling transition fails child Cx transition to grandchild transition silently fails, and child Px to sibling transition silently fails
2012-09-02 20:13:03 Jamie Strandboge description I noticed that apparmor does not transition from a child to a grandchild. Eg: /tmp/foo { /tmp/bar Cx -> bar, # works profile bar { /tmp/baz Cx -> baz, # does not work profile baz { } } } The following child to a sibling also fails: /tmp/foo { /tmp/bar Cx -> bar, # works profile bar { /tmp/baz Px -> baz, # does not work } profile baz { } } Attached is a tarball that shows how transitions work for ix, px, px to an uncle, px to a sibling, and cx to a grandchild. Run it with: $ tar -zxf ./apparmor.tar.gz $ cd ./apparmor $ ./poc.sh = profile-ix = start foo bar baz pass = profile-px = start foo bar baz pass = profile-px-sibling = start foo /tmp/bug/bar: /tmp/bug/baz: /bin/sh: bad interpreter: No such file or directory FAIL = profile-px-uncle = start foo bar baz pass = profile-cx-grandchild = apparmor_parser: Unable to replace "baz". Profile doesn't exist start foo /tmp/bug/bar: /tmp/bug/baz: /bin/sh: bad interpreter: No such file or directory FAIL Cleaning up removing profile-cx-grandchild removing profile-ix removing profile-px removing profile-px-sibling removing profile-px-uncle [1] $ I noticed that apparmor does not transition from a child to a grandchild. Eg: /tmp/foo {   /tmp/bar Cx -> bar, # works   profile bar {     /tmp/baz Cx -> baz, # does not work     profile baz {     }   } } The following child to a sibling also fails: /tmp/foo {   /tmp/bar Cx -> bar, # works   profile bar {     /tmp/baz Px -> baz, # does not work   }   profile baz {   } } Attached is a tarball that shows how transitions work for ix, px, px to an uncle, px to a sibling, and cx to a grandchild. Run it with: $ tar -zxf ./apparmor.tar.gz $ cd ./apparmor $ ./poc.sh = profile-ix = start foo bar baz pass = profile-px = start foo bar baz pass = profile-px-sibling = start foo /tmp/bug/bar: /tmp/bug/baz: /bin/sh: bad interpreter: No such file or directory FAIL = profile-px-uncle = start foo bar baz pass = profile-cx-grandchild = apparmor_parser: Unable to replace "baz". Profile doesn't exist start foo /tmp/bug/bar: /tmp/bug/baz: /bin/sh: bad interpreter: No such file or directory FAIL Cleaning up   removing profile-cx-grandchild   removing profile-ix   removing profile-px   removing profile-px-sibling   removing profile-px-uncle [1] $ Also, these transitions fail silently (both at compile and runtime), which might be related to bug #1045074
2012-09-04 18:56:04 Jamie Strandboge apparmor (Ubuntu): assignee John Johansen (jjohansen)
2012-09-04 19:56:00 Simon Déziel bug added subscriber Simon Déziel
2012-09-05 23:01:26 John Johansen apparmor (Ubuntu): importance Undecided Wishlist
2012-09-05 23:01:35 John Johansen apparmor (Ubuntu): status New Triaged
2014-10-08 22:50:55 Jamie Strandboge apparmor (Ubuntu): assignee John Johansen (jjohansen)
2014-10-23 23:56:00 Jamie Strandboge tags aa-parser