new apparmor not masking directory permissions correctly

Bug #138978 reported by Kees Cook
2
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: apparmor

With the prior version of apparmor, directory accesses were masked to only check read access. Current AppArmor now includes write access, breaking all abstractions. Easiest test is for write access to /tmp when including the user-tmp abstraction. See attached files.

With old AppArmor (expected results):

$ /tmp/test
0

With new AppArmor (eek):

$ /tmp/test
-1

with dmesg output:
[93189.905221] audit(1189544080.039:372): operation="inode_permission" requested_mask="rw" denied_mask="w" name="/tmp/" pid=13893 profile="/tmp/test"

Revision history for this message
Kees Cook (kees) wrote :

Source...

Revision history for this message
Kees Cook (kees) wrote :

Profile...

Revision history for this message
Kees Cook (kees) wrote :

Profile...

description: updated
Revision history for this message
John Johansen (jjohansen) wrote :
Download full text (3.5 KiB)

This is an intentional change and bug fix in the new AppArmor. The old AppArmor was always supposed to
mediate write access to directories, but due to a bug in the code it would not under most circumstances.
AppArmor does mask and implicitly allow directory traversal (unix dac x perm on directory).

New AppArmor handles directories as follows:
Directory permissions are separated from file permission with a trailing slash. ie. /a/directory/
This allows distinction between allowing permission for a file and a directory.

                                         old apparmor new apparmor
            file permission /tmp rw, /tmp rw,
   directory permission /tmp rw, /tmp/ rw,

With this change read access to directories may break existing profiles because old profiles treated directories and files the same.

A good example of this behavior can be observed using a confined bash. Tab completion will not work without explicit read access to a given directory but access to a given file can still be allowed.

eg.
/bin/bash {
   ..
    /tmp/foo r, #allow access to /tmp/foo but not /tmp/
}

as long as /tmp/ r, is not included in the profile then bash can not read the directory so tab completion fails, but it can read the file /tmp/foo. Again this is because directory traversal is implicitly allowed through masking but read and write are not.

It is also important to note the behavior of AppArmors regexes, *, **, ?

rule behavior from old AppArmor to new AppArmor
/dir/* rw, #changed now only matches files
/dir/file* rw, #changed now only matches files
/dir/file*/ rw, #changed now only matches dirs - previous behavior matched nothing
/dir/*file rw, #changed now only matches files
/dir/*file/ rw, #changed now only matches dirs - previous behavior matched nothing
dir/*/file rw, #changed now only matches files
/dir/*/file/ rw, #changed now only matches dirs - previous behavior matched nothing

/dir/** rw, #no change - matches files and directories

/dir/**/ rw, #changed only matches directories - previous behavior matched nothing
/dir/**[^/] rw, #changed only matches files - previous behavior matched files and dirs

/dir/foo** rw, #no change - matches files and directories

/dir/**foo rw, #changed matches only files
/dir/**foo/ rw, #changed match only dirs - previous behavior matched nothing
/dir/**foo[^/] rw, #changed matches only files - previous behavior matched files and dirs
/dir/**/foo rw, #changed only matches files
/dir/**/foo/ rw, #changed only matches dirs - previous behavior matched nothing
/dir/**/foo[^/] rw, #changed only matches files - previous behavior matched files and dirs
/dir/foo? rw, #changed matches only files - previous behavior matched files and dirs
/dir/foo?/ rw, #changed matches only dirs - previous behavior matched nothing
/dir/foo?/bar #changed only matches files - note directories that bar are in are the same

To summarize there are changes in behavior (2 semantic and ...

Read more...

Revision history for this message
Kees Cook (kees) wrote :

apparmor (2.1+961-0ubuntu2) gutsy; urgency=low

  [ Mathias Gug ]
  * Disable html documentation: Fixes LP: #139091.
    * parser/Makefile, debian/rules: disable html documentation building.
    * debian/control: remove latex2html dependency.
  * profiles/apparmor.d/usr.sbin.avahi-daemon: add sys_chroot capability.
    Fixes LP: #139092.

  [ Kees Cook ]
  * profiles/apparmor.d/abstractions/user-tmp: adjust directory permissions
    for newly unmasked /tmp handling (LP: #138978).
  * utils/SubDomain.pm: disable remote repositories until RPC::XML MIR
    clears (LP: 139091).
  * utils/*.pod: adjust for Ubuntu paths and "aa-" prefixes (LP: #116647).
  * Fix upgrades to not unload profiles, which would cause programs to
    become unconfined:
    - debian/rules: don't stop apparmor on upgrades.
    - debian/apparmor.postinst: reload profiles after a configure.

 -- Kees Cook <email address hidden> Wed, 12 Sep 2007 13:14:02 -0700

Changed in apparmor:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.