Public bug reported: To set the scene
++++++++++++/usr/local/bin/test2.sh++++++++++++++++++ #!/bin/bash echo "hello world" cat /etc/passwd echo 'echo "I am a pink bunny!"' >> ~/.profile ++++++++++++++++++++++++++++++ ++++++++++++/etc/apparmor.d/usr.local.bin.test2.sh++++++++++++++++++ # Last Modified: Thu May 29 11:34:54 2014 #include <tunables/global> /usr/local/bin/test2.sh { #include <abstractions/base> #include <abstractions/bash> /bin/bash ix, /bin/cat rix, /dev/tty rw, /usr/local/bin/test2.sh r, } ++++++++++++++++++++++++++++++ So I run test2.sh and the >> ~/.profile is denied as expected. When I go to run aa-logprof it picks up on the logline apparmor="DENIED" operation="open" profile="/usr/local/bin/test2.sh" name="/root/.profile" pid=30693 comm="test2.sh" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 It as me about adding an append mode which makes sense so I add and allow. Now my profile looks like so ++++++++++++/etc/apparmor.d/usr.local.bin.test2.sh++++++++++++++++++ # Last Modified: Thu May 29 12:32:31 2014 #include <tunables/global> /usr/local/bin/test2.sh { #include <abstractions/base> #include <abstractions/bash> /bin/bash ix, /bin/cat rix, /dev/tty rw, /root/.profile a, /usr/local/bin/test2.sh r, } ++++++++++++++++++++++++++++++ The problem is when I run test2.sh again the append rule is still denied. I think this likely because although the request_mask of "c" is "converted to "a" by logparser.py in the runtime code (kernel?, apparmor_parse?) "c" is not converted to "a" nor is a subset of "a". It is in fact a subset of "w" which works. Here is the workaround in diff format. --- /usr/lib/python3/dist-packages/apparmor/logparser.py 2014-05-29 12:39:23.844284290 -0400 +++ /usr/lib/python3/dist-packages/apparmor/logparser.py.new 2014-05-29 12:39:11.444283996 -0400 @@ -126,12 +126,12 @@ LibAppArmor.free_record(event) # Map c (create) to a and d (delete) to w, logprof doesn't support c and d if rmask: - rmask = rmask.replace('c', 'a') + rmask = rmask.replace('c', 'w') rmask = rmask.replace('d', 'w') if not validate_log_mode(hide_log_mode(rmask)): raise AppArmorException(_('Log contains unknown mode %s') % rmask) if dmask: - dmask = dmask.replace('c', 'a') + dmask = dmask.replace('c', 'w') dmask = dmask.replace('d', 'w') if not validate_log_mode(hide_log_mode(dmask)): raise AppArmorException(_('Log contains unknown mode %s') % dmask) Right now I don't have time to identify where this bug is exactly but if I do I will update this ticket. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1324608 Title: when aa-logprof processed file access rules with mask of "c" the resulting profile doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1324608/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs