when aa-logprof processed file access rules with mask of "c" the resulting profile doesn't work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Medium
|
Unassigned | ||
apparmor (Ubuntu) |
Expired
|
Medium
|
Unassigned |
Bug Description
To set the scene
+++++++
#!/bin/bash
echo "hello world"
cat /etc/passwd
echo 'echo "I am a pink bunny!"' >> ~/.profile
+++++++
+++++++
# Last Modified: Thu May 29 11:34:54 2014
#include <tunables/global>
/usr/local/
#include <abstractions/base>
#include <abstractions/bash>
/bin/bash ix,
/bin/cat rix,
/dev/tty rw,
/usr/
}
+++++++
So I run test2.sh and the
>> ~/.profile
is denied as expected. When I go to run aa-logprof it picks up on the logline
apparmor=
It as me about adding an append mode which makes sense so I add and allow. Now my profile looks like so
+++++++
# Last Modified: Thu May 29 12:32:31 2014
#include <tunables/global>
/usr/local/
#include <abstractions/base>
#include <abstractions/bash>
/bin/bash ix,
/bin/cat rix,
/dev/tty rw,
/root/.profile a,
/usr/
}
+++++++
The problem is when I run test2.sh again the append rule is still denied. I think this likely because although the request_mask of "c" is "converted to "a" by logparser.py in the runtime code (kernel?, apparmor_parse?) "c" is not converted to "a" nor is a subset of "a". It is in fact a subset of "w" which works. Here is the workaround in diff format.
--- /usr/lib/
+++ /usr/lib/
@@ -126,12 +126,12 @@
# Map c (create) to a and d (delete) to w, logprof doesn't support c and d
if rmask:
- rmask = rmask.replace('c', 'a')
+ rmask = rmask.replace('c', 'w')
rmask = rmask.replace('d', 'w')
if not validate_
if dmask:
- dmask = dmask.replace('c', 'a')
+ dmask = dmask.replace('c', 'w')
dmask = dmask.replace('d', 'w')
if not validate_
Right now I don't have time to identify where this bug is exactly but if I do I will update this ticket.
Changed in apparmor (Ubuntu): | |
status: | New → Incomplete |
tags: | added: aa-tools |
Changed in apparmor (Ubuntu): | |
importance: | Undecided → Medium |
Changed in apparmor: | |
importance: | Undecided → Medium |
status: | New → Incomplete |
Changed in apparmor: | |
status: | Fix Committed → Fix Released |
Additionally problem. When there is an already existing deny rule with a "w" mask
deny /home/*/.profile w,
the "a" mask is not recognized as being matched by it and thus aa-logprof prompts to create a new rule when the permission is already affirmatively denied.