kernel-packages team mailing list archive

Thread
Date
[Bug 692821] Re: apparmor aa_change_onexec doesn't work

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Rolf Leggewie <692821@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Jun 2015 11:17:41 -0000
Reply-to: Bug 692821 <692821@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".

** Changed in: linux (Ubuntu Lucid)
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/692821

Title:
  apparmor aa_change_onexec doesn't work

Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Lucid:
  Won't Fix
Status in linux source package in Maverick:
  Fix Released
Status in linux source package in Natty:
  Invalid

Bug description:
  libapparmor provides an aa_change_onexec(3) function which writes into
  /proc/self/attr/exec file, which is managed by a loaded security
  module. aa_change_onexec(3) requires the AppArmor module be loaded.
  (Source for this routine is in package libapparmor, src/change_hat.c.)

  The provided program and profile will demonstrate the problem.

  Save the profile into /etc/apparmor.d/test_onexec

  Load the profile with: sudo apparmor_parser --replace
  /etc/apparmor.d/test_onexec

  Compile the program with: gcc -o aa-change aa-change.c -lapparmor

  Run the program as follows:

  $ ./aa-change profile test_onexec 'head -1 /etc/passwd ; cat /proc/self/attr/current'
  Currently running in domain 'test_onexec (enforce)'
  sh: head: Permission denied
  test_onexec (enforce)
  $ ./aa-change exec test_onexec 'head -1 /etc/passwd ; cat /proc/self/attr/current'
  Will transition to 'test_onexec (enforce)' domain on exec()
  root:x:0:0:root:/root:/bin/bash
  unconfined

  'profile' uses aa_change_profile(3) to immediate change into the
  test_onexec profile. 'head' cannot execute, and 'cat' is confined with
  the test_onexec profile.

  'exec' uses aa_change_onexec(3) to change into the test_onexec profile
  at the next exec(2) call. 'head' runs (it should fail) and reads
  /etc/passwd (which should also fail). The 'cat' process is unconfined.
  Thus the aa_change_onexec(3) has failed. Output should be very similar
  to 'profile' case.

  $ uname -a
  Linux haig 2.6.32-26-generic #47-Ubuntu SMP Wed Nov 17 15:58:05 UTC 2010 x86_64 GNU/Linux
  $ cat /proc/version_signature 
  Ubuntu 2.6.32-26.47-generic 2.6.32.24+drm33.11
  $ 

  dmesg will include lines like the following:
  type=1505 audit(1292894196.363:299):  operation="profile_load" pid=5543 name="test_onexec"
  type=1503 audit(1292894419.381:301):  operation="exec" pid=5592 parent=5590 profile="test_onexec" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/head"

  While watching dmesg output you can confirm that the 'exec' mode of
  the test program doesn't reject execution of /usr/bin/head, while the
  'profile' mode of the test program does reject execution of
  /usr/bin/head.

  Feel free to close WONTFIX if fixing this is beyond the scope of LTS.
  (I want to save others time in the future when this issue is
  discovered by someone else.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/692821/+subscriptions