apparmor_parser dfa dominance is incorrect
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Triaged
|
Low
|
Unassigned | ||
apparmor (Ubuntu) |
Triaged
|
Low
|
Unassigned |
Bug Description
Binary package hint: apparmor
On up to date Maverick, the following will not parse:
$ cat /tmp/bug_fails
#include <tunables/global>
profile confined_user {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/
#include <abstractions/
deny capability sys_ptrace,
owner /** rwkl,
@{PROC}/** r,
/bin/** Pixmr,
/usr/bin/** Pixmr,
owner @{HOMEDIRS}/bin/** Pixmr,
}
$ apparmor_parser -S /tmp/bug_fails >/dev/null
failed user merge 0xa7f 0x201
failed user merge 0xa7f 0x201
ERROR processing regexs for profile confined_user, failed to load
But this will:
$ cat /tmp/bug_works
#include <tunables/global>
profile confined_user {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/
#include <abstractions/
deny capability sys_ptrace,
owner /** rwkl,
@{PROC}/** r,
/bin/** Pixmr,
/usr/bin/** Pixmr,
owner @{HOMEDIRS}/bin/** ixmr,
}
$ apparmor_parser -S /tmp/bug_works >/dev/null
Attached are the profiles and output from apparmor_parser -p.
Changed in apparmor (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Low |
importance: | Low → Medium |
Changed in apparmor (Ubuntu): | |
status: | Incomplete → Confirmed |
status: | Confirmed → Triaged |
Changed in apparmor (Ubuntu): | |
importance: | Medium → Low |
tags: | added: aa-parser |
Changed in apparmor: | |
status: | New → Triaged |
importance: | Undecided → Low |
Hi,
The issue with the failing profile is that there are legitimate conflicting X transitions:
# encrypted ~/.Private and old-style encrypted $HOME /.ecryptfs/ */.Private/ ** mrixwlk,
owner @{HOME}/.Private/** mrixwlk,
# new-style encrypted $HOME
owner @{HOMEDIRS}
and
owner @{HOMEDIRS}/bin/** Pixmr,
where HOMEDIRS = /home/ and HOME = /home/*, that results in:
/home/ */.Private/ ** mrixwlk,
/home/bin/** Pixmr,
even adjusting the latter rule to be @{HOME} rather than @{HOMEDIRS} still results in a conflict with the "new-style encrypted $HOME" rule:
/home/ .ecryptfs/ */.Private/ ** mrixwlk,
/home/*/bin/** Pixmr,
However, the parser has been updated to have a slightly better error message when conflicts like this occur, currently it reports the following when given profiles such as these:
$ apparmor_parser -Q bug_fails.p
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile confined_user, failed to load
though ideally it would give a better indication as to which rules are conflicting.
I'm going to mark this bug as incomplete as the error message has been improved, but ideally would be improved more; however, I'm not sure at the point where the DFA computation detects that there are overlapping 'x' rules it has enough information to backtrack to identify which rules are problematic.