touch-packages team mailing list archive

Thread
Date

[Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Sun, 14 Jun 2015 02:57:19 -0000
Reply-to: Bug 1317555 <1317555@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

not really, comm= added by the audit subsystem and is set by the thread
the check is being done in, in kernel context.  Both the send and
receive check are being done in the same place so comm= will not change.
We are not in control of this so there is little we can do about it.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1317555

Title:
  'signal peer=@{profile_name},' does not work as expected when in a
  profile using a regex match as a name

Status in AppArmor Linux application security framework:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  Kees Cook reported signal mediation issues stemming from the 'signal
  peer=@{profile_name},' rule in the base abstraction. It does not work
  as expected when @{profile_name} contains a regex match. If an
  application confined with a profile that uses a regex match as the
  name attempts to signal itself, the signal is denied.

  Here's a simple reproducer:

  # Set up the test environment
  $ mkdir /tmp/test
  $ cd /tmp/test
  $ cp -a /bin/kill .
  $ cp -a /bin/sleep .

  # Run the unconfined test to verify that it works (it does)
  $ /tmp/test/sleep 30s &
  [2] 31464
  $ /tmp/test/kill -USR1 $!
  [2]+  User defined signal 1   /tmp/test/sleep 30s

  # Create and load the AppArmor profile
  $ cat << EOF > profile
  #include <tunables/global>

  /tmp/test/{kill,sleep} {
    #include <abstractions/base>
    file,
  }

  profile test {
    #include <abstractions/base>
    file,
  }
  EOF
  $ sudo apparmor_parser -r profile

  # Run the test under /tmp/test/{kill,sleep} confinement
  # Note that this will not work, likely due to the regex in the profile name
  $ /tmp/test/sleep 30s &
  [1] 31473
  $ /tmp/test/kill -USR1 $!

  # Look at the new denials
  # Oddly, comm="kill" is in both denials, despite the denials being for send and receive masks
  type=AVC msg=audit(1399560667.038:720): apparmor="DENIED" operation="signal" profile="/tmp/test/{kill,sleep}" pid=31474 comm="kill" requested_mask="send" denied_mask="send" signal=usr1 peer="/tmp/test/{kill,sleep}"
  type=AVC msg=audit(1399560667.038:720): apparmor="DENIED" operation="signal" profile="/tmp/test/{kill,sleep}" pid=31474 comm="kill" requested_mask="receive" denied_mask="receive" signal=usr1 peer="/tmp/test/{kill,sleep}"

  # Run the test once more under the "test" profile (it succeeds)
  $ aa-exec -p test -- /tmp/test/sleep 30s &
  [1] 31476
  $ aa-exec -p test -- /tmp/test/kill -USR1 $!
  [1]+  User defined signal 1   aa-exec -p test -- /tmp/test/sleep 30s

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions