This bug was nominated against a series that is no longer supported, ie
yakkety. The bug task representing the yakkety nomination is being
closed as Won't Fix.
This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.
** Changed in: linux (Ubuntu Yakkety)
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1609885
Title:
exec transitions to profiles with '.' in name don't work
Status in AppArmor:
New
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Yakkety:
Won't Fix
Bug description:
If a child profile has '.' in the name, then the parser fails to compile the
policy:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found
unexpected character: '.'
If put a child profile with '.' in the name in a variable, the parser
compiles the policy but the exec transition fails:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
/tmp/with.dots: 3: /tmp/with.dots: cat: Permission denied
denial is:
apparmor="DENIED" operation="exec" info="profile transition not found"
error=-13 profile="test" name="/bin/cat" pid=18219 comm="with.dots"
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
$ cat /tmp/test.sh
#!/bin/sh
cat /proc/version
$ cat /tmp/profile
#include <tunables/global>
@{TARGET_PROFILE}="with.dots"
profile test {
#include <abstractions/base>
#include <abstractions/bash>
/tmp/test.sh r,
# parser error:
# AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found
# unexpected character: '.'
/{,usr/}bin/cat cx -> with.dots,
# fail to transition:
# apparmor="DENIED" operation="exec" info="profile transition not found"
# error=-13 profile="test" name="/bin/cat" pid=18105 comm="with.dots"
# requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
#/{,usr/}bin/cat cx -> @{TARGET_PROFILE},
# ok
#/{,usr/}bin/cat cx -> no_dots,
profile with.dots {
#include <abstractions/base>
@{PROC}/version r,
/{,usr/}bin/cat r,
}
profile no_dots {
#include <abstractions/base>
@{PROC}/version r,
/{,usr/}bin/cat r,
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1609885/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
