← Back to team overview

touch-packages team mailing list archive

[Bug 1339099] Re: AppArmor file permission 'append' denies file creation

 

This bug could be the reason for bug 1324608

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1339099

Title:
  AppArmor file permission 'append' denies file creation

Status in AppArmor Linux application security framework:
  Confirmed
Status in “apparmor” package in Ubuntu:
  Confirmed

Bug description:
  This bug started as a question, to make sure I know how to computer
  before filing a bug:
  https://answers.launchpad.net/ubuntu/+source/apparmor/+question/251315

  All this work is being done on an up-to-date 14.04 server running
  apparmor{-profiles,-utils} 2.8.95~2430-0ubuntu5.

  While trying to sort out the appropriate AppArmor bits to control
  logging, I'm seeing the file permission 'append' deny create access to
  a file, where I would have expected this to not be denied. It also
  denies 'file_perm', but it's unclear if this would be expected to
  work. I can fix the situation by updating the profile to use the
  'write' permission instead of 'append', but this is less than ideal.

  http://manpages.ubuntu.com/manpages/trusty/en/man5/apparmor.d.5.html
  indicates that the 'append' file permission "Allows the program to
  have a limited appending only write access to the file."

  In addition,
  http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
  explicitly states that 'append' grants "permission to create, and
  extend a file. The append permission is limited that it only gives
  permission for applications to open a file with O_APPEND, it can not
  be used to enforce a generic file write is append only."

  From
  https://en.opensuse.org/Archive:AppArmor_2_3_changes#Minor_Semantic_Changes,
  it appears as though granting 'create' permissions to 'append' is new
  in AppArmor 2.3.

  However, in writing up a simple test program in Go, I'm seeing
  AppArmor deny create permissions where 'append' is allowed.

  The Go code:
  -----
  func main() {
          logFile, err = os.OpenFile("/opt/test/log/test.log", os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
          n, err := logFile.WriteString("direct write\n")
          if err != nil {
                  fmt.Println(n, err)
          }
          log.SetOutput(logFile)
          log.Println("Log file initialized.")
          logFile.Close()
  }
  -----

  The AppArmor profile:
  -----
  #include <tunables/global>

  /opt/test/bin/test {
    #include <abstractions/base>

    /opt/test/log/test.log a,
  }
  -----

  When set to enforce, the program spits out an error:
  -----
  % /opt/test/bin/test
  0 invalid argument
  %
  -----

  And AppArmor logs the DENIED message:
  -----
  kernel: [ 5687.957758] type=1400 audit(1404743687.548:92): apparmor="DENIED" operation="open" profile="/opt/test/bin/test" name="/opt/test/log/test.log" pid=7766 comm="test" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
  -----

  When set to complain, the program works as expected (as expected):
  -----
  % /opt/test/bin/test
  %
  -----

  And AppArmor logs three calls with which it has an issue:
  -----
  kernel: [ 5949.505626] type=1400 audit(1404743948.872:98): apparmor="ALLOWED" operation="open" profile="/opt/test/bin/test" name="/opt/test/log/test.log" pid=8158 comm="test" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
  kernel: [ 5949.505643] type=1400 audit(1404743948.872:99): apparmor="ALLOWED" operation="file_perm" profile="/opt/test/bin/test" name="/opt/test/log/test.log" pid=8158 comm="test" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
  kernel: [ 5949.505758] type=1400 audit(1404743948.872:100): apparmor="ALLOWED" operation="file_perm" profile="/opt/test/bin/test" name="/opt/test/log/test.log" pid=8158 comm="test" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
  -----

  I'm not sure what's going on with the 'file_perm' stuff either -- I
  thought that would have required 'chmod', but that doesn't appear to
  be the case.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1339099/+subscriptions