touch-packages team mailing list archive

Thread
Date

[Bug 1045074] Re: no logging with Cx|cx to non-existent subprofile

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Wed, 08 Oct 2014 23:02:07 -0000
Reply-to: Bug 1045074 <1045074@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 917215 ***
    https://bugs.launchpad.net/bugs/917215

** This bug has been marked a duplicate of bug 917215
   AppArmor doesn't warn about nonexistent subprofiles

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1045074

Title:
  no logging with Cx|cx to non-existent subprofile

Status in “apparmor” package in Ubuntu:
  Confirmed

Bug description:
  If I create the following rule:

    <path> Cx -> <subprofile>,

  apparmor_parser does not complain if '<subprofile>' does not exist and
  the kernel doesn't log that there was a problem transitioning.

  This has happened when profiling in Ubuntu when using the
  'sanitized_helper' but forgetting to '#include <abstractions/ubuntu-
  helpers>'. Since there is no feedback, this is a usability issue for
  profilers when trying to do things like this:

  $ cat /tmp/foo
  #!/bin/sh
  echo foo
  /tmp/bar

  $ cat /tmp/bar
  #!/bin/sh
  echo bar
  head -1 /etc/hosts

  $ cat /tmp/test.profile
  #include <tunables/global>
  /tmp/foo {
      #include <abstractions/base>
      #include <abstractions/bash>
      /tmp/foo r,
      /tmp/bar Cxr -> bar,
  }
  profile bar {
    #include <abstractions/base>
    #include <abstractions/bash>
    /bin/dash r,
    /tmp/bar r,
    /usr/bin/head ixr,
    /etc/hosts r,
  }  

  Loading the above profile and executing /tmp/foo results in:
  $ /tmp/foo
  foo
  bar
  head: cannot open `/etc/hosts' for reading: Permission denied

  This happens because 'foo' can't transition to 'bar' because 'bar' is
  not a subprofile of 'foo'. There is no kernel message and
  apparmor_parser also did not catch the profiling error. Depending on
  how the profiled applications are written, there may or may not be
  useful debugging information when profiling.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045074/+subscriptions