** Changed in: apparmor Importance: High => Medium ** Changed in: apparmor (Ubuntu) Importance: High => Medium
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1317555 Title: 'signal peer=@{profile_name},' does not work as expected when in a profile using a regex match as a name Status in AppArmor Linux application security framework: Triaged Status in “apparmor” package in Ubuntu: Triaged Bug description: Kees Cook reported signal mediation issues stemming from the 'signal peer=@{profile_name},' rule in the base abstraction. It does not work as expected when @{profile_name} contains a regex match. If an application confined with a profile that uses a regex match as the name attempts to signal itself, the signal is denied. Here's a simple reproducer: # Set up the test environment $ mkdir /tmp/test $ cd /tmp/test $ cp -a /bin/kill . $ cp -a /bin/sleep . # Run the unconfined test to verify that it works (it does) $ /tmp/test/sleep 30s & [2] 31464 $ /tmp/test/kill -USR1 $! [2]+ User defined signal 1 /tmp/test/sleep 30s # Create and load the AppArmor profile $ cat << EOF > profile #include <tunables/global> /tmp/test/{kill,sleep} { #include <abstractions/base> file, } profile test { #include <abstractions/base> file, } EOF $ sudo apparmor_parser -r profile # Run the test under /tmp/test/{kill,sleep} confinement # Note that this will not work, likely due to the regex in the profile name $ /tmp/test/sleep 30s & [1] 31473 $ /tmp/test/kill -USR1 $! # Look at the new denials # Oddly, comm="kill" is in both denials, despite the denials being for send and receive masks type=AVC msg=audit(1399560667.038:720): apparmor="DENIED" operation="signal" profile="/tmp/test/{kill,sleep}" pid=31474 comm="kill" requested_mask="send" denied_mask="send" signal=usr1 peer="/tmp/test/{kill,sleep}" type=AVC msg=audit(1399560667.038:720): apparmor="DENIED" operation="signal" profile="/tmp/test/{kill,sleep}" pid=31474 comm="kill" requested_mask="receive" denied_mask="receive" signal=usr1 peer="/tmp/test/{kill,sleep}" # Run the test once more under the "test" profile (it succeeds) $ aa-exec -p test -- /tmp/test/sleep 30s & [1] 31476 $ aa-exec -p test -- /tmp/test/kill -USR1 $! [1]+ User defined signal 1 aa-exec -p test -- /tmp/test/sleep 30s To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
