[Bug 1733700] Re: python tools do not understand 'non-magic' include rules

Jamie Strandboge Wed, 20 Dec 2017 15:36:07 -0800

** Description changed:

  The apparmor parser supports 'include' and '#include' rules for
  specifying absolute paths, but the python tools only understand include
  rules for so called 'magic' '<>' file locations.
  
- Reproducer:
- 
+ 
+ = test case #1 (aa-enforce) =
  $ mkdir /tmp/test1 /tmp/test2
  
  $ cat /etc/apparmor.d/lp1733700
  profile lp1733700 {
-   #include "/tmp/test1"
-   include "/tmp/test2"
+   #include "/tmp/test1"
+   include "/tmp/test2"
  }
  
  $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
  
- $ sudo aa-enforce /etc/apparmor.d/lp1733700
- 
- ERROR: Syntax Error: Missing '}' or ','. Reached end of file
- /etc/apparmor.d/lp1733700 while inside profile lp1733700.
+ $ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
+ 
+ 
+ = test case #2 (aa-genprof) =
+ 
+ This assumes test case #1 was already performed and
+ /etc/apparmor.d/lp1733700 exists with the above includes.
+ 
+ $ cat /tmp/lp1733700
+ #!/bin/sh
+ set -e
+ sh -c "$@"
+ 
+ # run without confinement:
+ $ /tmp/lp1733700 'cat /etc/fstab' | head -1
+ # /etc/fstab: static file system information.
+ 
+ # invoke genprof
+ $ sudo aa-genprof /tmp/lp1733700
+ ...
+ [(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently 
fails
+ ... don't exercise the application any so we just have the default profile ...
+ [(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
+ ...
+ Finished generating profile for /tmp/lp1733700.
+ 
+ $ sudo cat /etc/apparmor.d/tmp.lp1733700
+ # Last Modified: Wed Dec 20 15:53:07 2017
+ #include <tunables/global>
+ 
+ /tmp/lp1733700 {
+   #include <abstractions/base>
+   #include <abstractions/bash>
+ 
+   /bin/dash ix,
+   /lib/x86_64-linux-gnu/ld-*.so mr,
+   /tmp/lp1733700 r,
+ 
+ }
+ 
+ 
+ = test case #3 (aa-logprof) =
+ 
+ This assumes test case #1 was already performed and
+ /etc/apparmor.d/lp1733700 exists with the above includes.
+ 
+ This also assumes test case #2 was already performed and
+ /etc/apparmor.d/tmp.lp1733700 exists.
+ 
+ Disable kernel rate limiting:
+ $ sudo sysctl -w kernel.printk_ratelimit=0
+ 
+ Create mark entry in syslog:
+ $ logger mark-lp1733700
+ 
+ Try running logprof with no new denials:
+ 
+ $ sudo aa-logprof -m mark-lp1733700   # currently fails
+ Reading log entries from /var/log/syslog.
+ Updating AppArmor profiles in /etc/apparmor.d.
+ $
+ 
+ Adjust /etc/apparmor.d/tmp.lp1733700 to add:
+ 
+   #include "/tmp/test1"
+   include "/tmp/test2"
+ 
+ Load it into the kernel:
+ $ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
+ 
+ Create a new denial:
+ $ /tmp/lp1733700 'uptime'
+ sh: 1: uptime: Permission denied
+ $
+ 
+ Try running logprof:
+ 
+ $ sudo aa-logprof -m mark-lp1733700 # currently fails
+ Reading log entries from /var/log/syslog.
+ Updating AppArmor profiles in /etc/apparmor.d.
+ 
+ Profile:  /tmp/lp1733700
+ Execute:  /usr/bin/uptime
+ Severity: unknown
+ 
+ (I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
+ ...
+ The following local profiles were changed. Would you like to save them?
+ <PRESS 'i'>
+  [1 - /tmp/lp1733700]
+ (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes 
b/w (C)lean profiles / Abo(r)t
+ <PRESS 's'>
+ 
+ Writing updated profile for /tmp/lp1733700.
+ $
+ 
+ Verify the profile for 'uptime' addition and that the /tmp/test1 and
+ /tmp/test2 includes were not removed (it is ok that they are both
+ '#include'):
+ 
+ $ sudo cat /etc/apparmor.d/tmp.lp1733700
+ # Last Modified: Wed Dec 20 16:19:19 2017
+ #include <tunables/global>
+ 
+ /tmp/lp1733700 {
+   #include "/tmp/test1"
+   #include "/tmp/test2"
+   #include <abstractions/base>
+   #include <abstractions/bash>
+ 
+   /bin/dash ix,
+   /lib/x86_64-linux-gnu/ld-*.so mr,
+   /tmp/lp1733700 r,
+   /usr/bin/uptime mrix,
+ 
+ }
+ 
+ 
+ = test case #4 (aa-mergeprof) =
+ 
+ $ mkdir -p /tmp/aa-mergeprof/new
+ $ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
+ $ touch /tmp/aa-mergeprof/new/tunables/global 
/tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
+ $ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
+ 
+ $ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
+ #include <tunables/global>
+ 
+ /tmp/lp1733700 {
+   #include <abstractions/base>
+   #include <abstractions/bash>
+   #include "/tmp/test1"
+ 
+   /bin/dash ix,
+   /lib/x86_64-linux-gnu/ld-*.so mr,
+   /tmp/lp1733700 r,
+   /usr/bin/uptime mrix,
+ 
+ }
+ 
+ $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
+ #include <tunables/global>
+ 
+ /tmp/lp1733700 {
+   #include <abstractions/base>
+   #include <abstractions/bash>
+   #include "/tmp/test2"
+ 
+   /bin/dash ix,
+   /lib/x86_64-linux-gnu/ld-*.so mr,
+   /tmp/lp1733700 r,
+   /bin/cat ixr,
+ 
+ }
+ 
+ $ sudo aa-mergeprof -d /tmp/aa-mergeprof/new 
/tmp/aa-mergeprof/old/tmp.lp1733700
+ ...
+  [1 - #include "/tmp/test1"]
+ [(A)llow] / (I)gnore / Abo(r)t / (F)inish
+ <PRESS 'a'>
+ ...
+  [1 - /usr/bin/uptime mrix,]
+ (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / 
Audi(t) / Abo(r)t / (F)inish
+ <PRESS 'a'>
+ ...
+ The following local profiles were changed. Would you like to save them?
+ 
+  [1 - /tmp/lp1733700]
+ (S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
+ Writing updated profile for /tmp/lp1733700.
+ $
+ 
+ Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime 
(old mergeprof would discard includes with absolute paths):
+ $ cat /tmp/aa-mergeprof/new/tmp.lp1733700 
+ # Last Modified: Wed Dec 20 17:16:34 2017
+ #include <tunables/global>
+ 
+ /tmp/lp1733700 {
+   #include "/tmp/test1"
+   #include "/tmp/test2"
+   #include <abstractions/base>
+   #include <abstractions/bash>
+ 
+   /bin/cat rix,
+   /bin/dash ix,
+   /lib/x86_64-linux-gnu/ld-*.so mr,
+   /tmp/lp1733700 r,
+   /usr/bin/uptime mrix,
+ 
+ }
+ 
  
  Note that the original description said that changing the rule from
  'include' to '#include' fixed the issue when in reality it only allowed
  the rule to parse as a comment instead of erroring.
  
  = Original description =
  The apparmor_parser now supports 'include' rules in addition to '#include', 
but the python tools only understand '#include'. This manifested itself in 
Ubuntu in bug #1734038 (see 
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of 
that bug for details).
  
  Reproducer:
  
  $ mkdir /tmp/test
  
  $ cat /etc/apparmor.d/lp1733700
  profile lp1733700 {
    include "/tmp/test"
  }
  
  $ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
  ok
  
  $ sudo aa-enforce /etc/apparmor.d/lp1733700
  ERROR: Syntax Error: Missing '}' or ','. Reached end of file 
/etc/apparmor.d/lp1733700 while inside profile lp1733700
  
  Changing the 'include' to '#include' results in:
  $ sudo aa-enforce /etc/apparmor.d/lp1733700
  Setting /etc/apparmor.d/lp1733700 to enforce mode.
  
  At least aa-logprof is also affected.
  
  = Original report =
  On Ubuntu artful, I'm seeing the following behavior:
  
      $ aa-enforce usr.bin.chromium-browser
  
      ERROR: Syntax Error: Unknown line found in file 
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
          include "/var/lib/snapd/apparmor/snap-confine.d"   /etc/ld.so.cache r,
  
  I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
  This is snapd 2.28.5+17.10.


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1733700

Title:
  python tools do not understand 'non-magic' include rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1733700/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1733700] Re: python tools do not understand 'non-magic' include rules

Reply via email to