Ubuntu
apparmor package

apparmor_parser dfa dominance is incorrect

Bug #670639 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Triaged
Low
Unassigned
apparmor (Ubuntu)
Triaged
Low
Unassigned

Bug Description

Binary package hint: apparmor

On up to date Maverick, the following will not parse:

$ cat /tmp/bug_fails
#include <tunables/global>
profile confined_user {
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>

   deny capability sys_ptrace,

   owner /** rwkl,
   @{PROC}/** r,

   /bin/** Pixmr,
   /usr/bin/** Pixmr,
   owner @{HOMEDIRS}/bin/** Pixmr,
}

$ apparmor_parser -S /tmp/bug_fails >/dev/null
failed user merge 0xa7f 0x201
failed user merge 0xa7f 0x201
ERROR processing regexs for profile confined_user, failed to load

But this will:
$ cat /tmp/bug_works
#include <tunables/global>
profile confined_user {
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>

   deny capability sys_ptrace,

   owner /** rwkl,
   @{PROC}/** r,

   /bin/** Pixmr,
   /usr/bin/** Pixmr,
   owner @{HOMEDIRS}/bin/** ixmr,
}
$ apparmor_parser -S /tmp/bug_works >/dev/null

Attached are the profiles and output from apparmor_parser -p.

Tags: aa-parser
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
importance: Low → Medium
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi,

The issue with the failing profile is that there are legitimate conflicting X transitions:

  # encrypted ~/.Private and old-style encrypted $HOME
  owner @{HOME}/.Private/** mrixwlk,
  # new-style encrypted $HOME
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

and

  owner @{HOMEDIRS}/bin/** Pixmr,

where HOMEDIRS = /home/ and HOME = /home/*, that results in:

  /home/*/.Private/** mrixwlk,
  /home/bin/** Pixmr,

even adjusting the latter rule to be @{HOME} rather than @{HOMEDIRS} still results in a conflict with the "new-style encrypted $HOME" rule:

  /home/.ecryptfs/*/.Private/** mrixwlk,
  /home/*/bin/** Pixmr,

However, the parser has been updated to have a slightly better error message when conflicts like this occur, currently it reports the following when given profiles such as these:

  $ apparmor_parser -Q bug_fails.p
  profile has merged rule with conflicting x modifiers
  ERROR processing regexs for profile confined_user, failed to load

though ideally it would give a better indication as to which rules are conflicting.

I'm going to mark this bug as incomplete as the error message has been improved, but ideally would be improved more; however, I'm not sure at the point where the DFA computation detects that there are overlapping 'x' rules it has enough information to backtrack to identify which rules are problematic.

Changed in apparmor (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
John Johansen (jjohansen) wrote :

The parser does not currently have the information it needs to provide a better error message at this time. There is a work item to push this information into the parser backend so that a better message can be provided in the future

Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu):
status: Incomplete → Confirmed
status: Confirmed → Triaged
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
importance: Medium → Low
Jamie Strandboge (jdstrand)
tags: added: aa-parser
Changed in apparmor:
status: New → Triaged
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.