← Back to team overview

kernel-packages team mailing list archive

[Bug 692821] Re: apparmor aa_change_onexec doesn't work


lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".

** Changed in: linux (Ubuntu Lucid)
       Status: Triaged => Won't Fix

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  apparmor aa_change_onexec doesn't work

Status in linux package in Ubuntu:
Status in linux source package in Lucid:
  Won't Fix
Status in linux source package in Maverick:
  Fix Released
Status in linux source package in Natty:

Bug description:
  libapparmor provides an aa_change_onexec(3) function which writes into
  /proc/self/attr/exec file, which is managed by a loaded security
  module. aa_change_onexec(3) requires the AppArmor module be loaded.
  (Source for this routine is in package libapparmor, src/change_hat.c.)

  The provided program and profile will demonstrate the problem.

  Save the profile into /etc/apparmor.d/test_onexec

  Load the profile with: sudo apparmor_parser --replace

  Compile the program with: gcc -o aa-change aa-change.c -lapparmor

  Run the program as follows:

  $ ./aa-change profile test_onexec 'head -1 /etc/passwd ; cat /proc/self/attr/current'
  Currently running in domain 'test_onexec (enforce)'
  sh: head: Permission denied
  test_onexec (enforce)
  $ ./aa-change exec test_onexec 'head -1 /etc/passwd ; cat /proc/self/attr/current'
  Will transition to 'test_onexec (enforce)' domain on exec()

  'profile' uses aa_change_profile(3) to immediate change into the
  test_onexec profile. 'head' cannot execute, and 'cat' is confined with
  the test_onexec profile.

  'exec' uses aa_change_onexec(3) to change into the test_onexec profile
  at the next exec(2) call. 'head' runs (it should fail) and reads
  /etc/passwd (which should also fail). The 'cat' process is unconfined.
  Thus the aa_change_onexec(3) has failed. Output should be very similar
  to 'profile' case.

  $ uname -a
  Linux haig 2.6.32-26-generic #47-Ubuntu SMP Wed Nov 17 15:58:05 UTC 2010 x86_64 GNU/Linux
  $ cat /proc/version_signature 
  Ubuntu 2.6.32-26.47-generic

  dmesg will include lines like the following:
  type=1505 audit(1292894196.363:299):  operation="profile_load" pid=5543 name="test_onexec"
  type=1503 audit(1292894419.381:301):  operation="exec" pid=5592 parent=5590 profile="test_onexec" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/head"

  While watching dmesg output you can confirm that the 'exec' mode of
  the test program doesn't reject execution of /usr/bin/head, while the
  'profile' mode of the test program does reject execution of

  Feel free to close WONTFIX if fixing this is beyond the scope of LTS.
  (I want to save others time in the future when this issue is
  discovered by someone else.)

To manage notifications about this bug go to: