Public bug reported:

To set the scene

++++++++++++/usr/local/bin/test2.sh++++++++++++++++++
#!/bin/bash

echo "hello world"
cat /etc/passwd
echo 'echo "I am a pink bunny!"' >> ~/.profile
++++++++++++++++++++++++++++++

++++++++++++/etc/apparmor.d/usr.local.bin.test2.sh++++++++++++++++++
# Last Modified: Thu May 29 11:34:54 2014
#include <tunables/global>

/usr/local/bin/test2.sh {
  #include <abstractions/base>
  #include <abstractions/bash>

  /bin/bash ix,
  /bin/cat rix,
  /dev/tty rw,
  /usr/local/bin/test2.sh r,

}
++++++++++++++++++++++++++++++

So I run test2.sh and the 
  >> ~/.profile
is denied as expected. When I go to run aa-logprof it picks up on the logline

   apparmor="DENIED" operation="open" profile="/usr/local/bin/test2.sh"
name="/root/.profile" pid=30693 comm="test2.sh" requested_mask="c"
denied_mask="c" fsuid=0 ouid=0

It as me about adding an append mode which makes sense so I add and
allow. Now my profile looks like so

++++++++++++/etc/apparmor.d/usr.local.bin.test2.sh++++++++++++++++++
# Last Modified: Thu May 29 12:32:31 2014
#include <tunables/global>

/usr/local/bin/test2.sh {
  #include <abstractions/base>
  #include <abstractions/bash>

  /bin/bash ix,
  /bin/cat rix,
  /dev/tty rw,
  /root/.profile a,
  /usr/local/bin/test2.sh r,

}
++++++++++++++++++++++++++++++

The problem is when I run test2.sh again the append rule is still
denied. I think this likely because although the request_mask of "c" is
"converted to "a" by logparser.py in the runtime code (kernel?,
apparmor_parse?) "c" is not converted to "a" nor is a subset of "a". It
is in fact a subset of "w" which works. Here is the workaround in diff
format.


--- /usr/lib/python3/dist-packages/apparmor/logparser.py        2014-05-29 
12:39:23.844284290 -0400
+++ /usr/lib/python3/dist-packages/apparmor/logparser.py.new    2014-05-29 
12:39:11.444283996 -0400
@@ -126,12 +126,12 @@
         LibAppArmor.free_record(event)
         # Map c (create) to a and d (delete) to w, logprof doesn't support c 
and d
         if rmask:
-            rmask = rmask.replace('c', 'a')
+            rmask = rmask.replace('c', 'w')
             rmask = rmask.replace('d', 'w')
             if not validate_log_mode(hide_log_mode(rmask)):
                 raise AppArmorException(_('Log contains unknown mode %s') % 
rmask)
         if dmask:
-            dmask = dmask.replace('c', 'a')
+            dmask = dmask.replace('c', 'w')
             dmask = dmask.replace('d', 'w')
             if not validate_log_mode(hide_log_mode(dmask)):
                 raise AppArmorException(_('Log contains unknown mode %s') % 
dmask)


Right now I don't have time to identify where this bug is exactly but if I do I 
will update this ticket.

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1324608

Title:
  when aa-logprof processed file access rules with mask of "c" the
  resulting profile doesn't work

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1324608/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to