touch-packages team mailing list archive

Thread
Date

[Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Kees Cook <kees@xxxxxxxxxx>
Date: Thu, 11 Jun 2015 04:25:19 -0000
Reply-to: Bug 1317555 <1317555@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hit this bug again while trying to use:
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/14.04/usr.lib.postgresql.bin.postgres

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1317555

Title:
  'signal peer=@{profile_name},' does not work as expected when in a
  profile using a regex match as a name

Status in AppArmor Linux application security framework:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  Kees Cook reported signal mediation issues stemming from the 'signal
  peer=@{profile_name},' rule in the base abstraction. It does not work
  as expected when @{profile_name} contains a regex match. If an
  application confined with a profile that uses a regex match as the
  name attempts to signal itself, the signal is denied.

  Here's a simple reproducer:

  # Set up the test environment
  $ mkdir /tmp/test
  $ cd /tmp/test
  $ cp -a /bin/kill .
  $ cp -a /bin/sleep .

  # Run the unconfined test to verify that it works (it does)
  $ /tmp/test/sleep 30s &
  [2] 31464
  $ /tmp/test/kill -USR1 $!
  [2]+  User defined signal 1   /tmp/test/sleep 30s

  # Create and load the AppArmor profile
  $ cat << EOF > profile
  #include <tunables/global>

  /tmp/test/{kill,sleep} {
    #include <abstractions/base>
    file,
  }

  profile test {
    #include <abstractions/base>
    file,
  }
  EOF
  $ sudo apparmor_parser -r profile

  # Run the test under /tmp/test/{kill,sleep} confinement
  # Note that this will not work, likely due to the regex in the profile name
  $ /tmp/test/sleep 30s &
  [1] 31473
  $ /tmp/test/kill -USR1 $!

  # Look at the new denials
  # Oddly, comm="kill" is in both denials, despite the denials being for send and receive masks
  type=AVC msg=audit(1399560667.038:720): apparmor="DENIED" operation="signal" profile="/tmp/test/{kill,sleep}" pid=31474 comm="kill" requested_mask="send" denied_mask="send" signal=usr1 peer="/tmp/test/{kill,sleep}"
  type=AVC msg=audit(1399560667.038:720): apparmor="DENIED" operation="signal" profile="/tmp/test/{kill,sleep}" pid=31474 comm="kill" requested_mask="receive" denied_mask="receive" signal=usr1 peer="/tmp/test/{kill,sleep}"

  # Run the test once more under the "test" profile (it succeeds)
  $ aa-exec -p test -- /tmp/test/sleep 30s &
  [1] 31476
  $ aa-exec -p test -- /tmp/test/kill -USR1 $!
  [1]+  User defined signal 1   aa-exec -p test -- /tmp/test/sleep 30s

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions