touch-packages team mailing list archive

Thread
Date

[Bug 1315469] Re: apparmor_parser should reject pivot_root rules containing non-directory arguments

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Thu, 23 Oct 2014 23:47:14 -0000
Reply-to: Bug 1315469 <1315469@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Tags added: aa-parser

** Also affects: apparmor
   Importance: Undecided
       Status: New

** Changed in: apparmor
       Status: New => Triaged

** Changed in: apparmor
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1315469

Title:
  apparmor_parser should reject pivot_root rules containing non-
  directory arguments

Status in AppArmor Linux application security framework:
  Triaged
Status in “apparmor” package in Ubuntu:
  Triaged

Bug description:
  The pivot_root rule arguments corresponding to pivot_root(2)'s put_old
  and new_root arguments must always end with a '/' character. This is
  due to the paths being directories and not regular files. If the paths
  do not end in a '/', the kernel will fail to match the paths during a
  pivot_root(2) and the pivot will always be denied.

  I think that the parser should reject all pivot_root rules containing
  paths that do not end in '/', to avoid the confusion at run-time.

  Here's a simple test case that should fail:

  $ echo "/t { pivot_root oldroot=/new/old /new, }" | apparmor_parser
  -qQ

  Here's a simple test case that should pass:

  $ echo "/t { pivot_root oldroot=/new/old/ /new/, }" | apparmor_parser
  -qQ

  Currently, both test result in apparmor_parser returning 0.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1315469/+subscriptions