[Kernel-packages] [Bug 1609885] Re: exec transitions to profiles with '.' in name don't work

Thu, 13 Oct 2016 13:30:07 -0700 

** Tags added: aa-parser

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1609885

Title:
  exec transitions to profiles with '.' in name don't work

Status in AppArmor:
  New
Status in linux package in Ubuntu:
  Incomplete
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Yakkety:
  Incomplete

Bug description:
  If a child profile has '.' in the name, then the parser fails to compile the 
policy:
  $ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
  AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found 
unexpected character: '.'

  If put a child profile with '.' in the name in a variable, the parser 
compiles the policy but the exec transition fails:
  $ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
  /tmp/with.dots: 3: /tmp/with.dots: cat: Permission denied

  denial is:
  apparmor="DENIED" operation="exec" info="profile transition not found" 
error=-13 profile="test" name="/bin/cat" pid=18219 comm="with.dots" 
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

  $ cat /tmp/test.sh
  #!/bin/sh
  cat /proc/version

  $ cat /tmp/profile
  #include <tunables/global>

  @{TARGET_PROFILE}="with.dots"

  profile test {
    #include <abstractions/base>
    #include <abstractions/bash>

    /tmp/test.sh r,

    # parser error:
    # AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found
    # unexpected character: '.'
    /{,usr/}bin/cat cx -> with.dots,

    # fail to transition:
    # apparmor="DENIED" operation="exec" info="profile transition not found"
    # error=-13 profile="test" name="/bin/cat" pid=18105 comm="with.dots"
    # requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
    #/{,usr/}bin/cat cx -> @{TARGET_PROFILE},

    # ok
    #/{,usr/}bin/cat cx -> no_dots,

    profile with.dots {
      #include <abstractions/base>
      @{PROC}/version r,
      /{,usr/}bin/cat r,
    }

    profile no_dots {
      #include <abstractions/base>
      @{PROC}/version r,
      /{,usr/}bin/cat r,
    }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1609885/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to