touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #44306
[Bug 1324608] Re: when aa-logprof processed file access rules with mask of "c" the resulting profile doesn't work
[Expired for AppArmor because there has been no activity for 60 days.]
** Changed in: apparmor
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1324608
Title:
when aa-logprof processed file access rules with mask of "c" the
resulting profile doesn't work
Status in AppArmor Linux application security framework:
Expired
Status in apparmor package in Ubuntu:
Expired
Bug description:
To set the scene
++++++++++++/usr/local/bin/test2.sh++++++++++++++++++
#!/bin/bash
echo "hello world"
cat /etc/passwd
echo 'echo "I am a pink bunny!"' >> ~/.profile
++++++++++++++++++++++++++++++
++++++++++++/etc/apparmor.d/usr.local.bin.test2.sh++++++++++++++++++
# Last Modified: Thu May 29 11:34:54 2014
#include <tunables/global>
/usr/local/bin/test2.sh {
#include <abstractions/base>
#include <abstractions/bash>
/bin/bash ix,
/bin/cat rix,
/dev/tty rw,
/usr/local/bin/test2.sh r,
}
++++++++++++++++++++++++++++++
So I run test2.sh and the
>> ~/.profile
is denied as expected. When I go to run aa-logprof it picks up on the logline
apparmor="DENIED" operation="open"
profile="/usr/local/bin/test2.sh" name="/root/.profile" pid=30693
comm="test2.sh" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
It as me about adding an append mode which makes sense so I add and
allow. Now my profile looks like so
++++++++++++/etc/apparmor.d/usr.local.bin.test2.sh++++++++++++++++++
# Last Modified: Thu May 29 12:32:31 2014
#include <tunables/global>
/usr/local/bin/test2.sh {
#include <abstractions/base>
#include <abstractions/bash>
/bin/bash ix,
/bin/cat rix,
/dev/tty rw,
/root/.profile a,
/usr/local/bin/test2.sh r,
}
++++++++++++++++++++++++++++++
The problem is when I run test2.sh again the append rule is still
denied. I think this likely because although the request_mask of "c"
is "converted to "a" by logparser.py in the runtime code (kernel?,
apparmor_parse?) "c" is not converted to "a" nor is a subset of "a".
It is in fact a subset of "w" which works. Here is the workaround in
diff format.
--- /usr/lib/python3/dist-packages/apparmor/logparser.py 2014-05-29 12:39:23.844284290 -0400
+++ /usr/lib/python3/dist-packages/apparmor/logparser.py.new 2014-05-29 12:39:11.444283996 -0400
@@ -126,12 +126,12 @@
LibAppArmor.free_record(event)
# Map c (create) to a and d (delete) to w, logprof doesn't support c and d
if rmask:
- rmask = rmask.replace('c', 'a')
+ rmask = rmask.replace('c', 'w')
rmask = rmask.replace('d', 'w')
if not validate_log_mode(hide_log_mode(rmask)):
raise AppArmorException(_('Log contains unknown mode %s') % rmask)
if dmask:
- dmask = dmask.replace('c', 'a')
+ dmask = dmask.replace('c', 'w')
dmask = dmask.replace('d', 'w')
if not validate_log_mode(hide_log_mode(dmask)):
raise AppArmorException(_('Log contains unknown mode %s') % dmask)
Right now I don't have time to identify where this bug is exactly but if I do I will update this ticket.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1324608/+subscriptions