[Touch-packages] [Bug 1588069] Re: parser doesn't catch conflicting change_profile exec modes (safe/unsafe)

Christian Boltz Tue, 10 Jan 2017 12:45:46 -0800

Fixed in AppArmor 2.11

** Changed in: apparmor
       Status: Fix Committed => Fix Released


-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1588069

Title:
  parser doesn't catch conflicting change_profile exec modes
  (safe/unsafe)

Status in AppArmor:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Xenial:
  Fix Committed

Bug description:
  [Impact]

  Applications which use libapparmor's aa_change_onexec() to set up an
  AppArmor profile transition across an upcoming exec() could not pre-
  initialize the environment up until the upstream fix for bug #1584069
  was in place. That upstream fix had a flaw in that conflicting
  safe/unsafe change_profile transitions were allowed by
  apparmor_parser. apparmor_parser should detect conflicting rules and
  fail to compile the profile.

  [Test Case]

  The upstream fix for this bug includes exhaustive tests for
  conflicting safe/unsafe change_profile transitions. These tests run at
  build time.

  If a manual test is desired, see the original report below for steps.

  [Regression Potential]

  Regression potential for this change is small since it is actually a
  bug fix for the changes introduced in bug #1584069. The regression
  potential for the changes for bug #1584069 are considerable and listed
  in that bug report.

  [Original Report]

  The ability to specify change_profile exec modes (safe/unsafe) is a
  recently merged feature. A missing piece is that the parser doesn't
  detect conflicting exec modes on the same exec condition. The
  following profile should fail to compile:

  /t {
    change_profile safe /foo -> /bar,
    change_profile unsafe /foo -> /bar,
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1588069/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1588069] Re: parser doesn't catch conflicting change_profile exec modes (safe/unsafe)

Reply via email to