** Description changed:
The apparmor parser supports 'include' and '#include' rules for
specifying absolute paths, but the python tools only understand include
rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
- $ sudo apt-get install apparmor apparmor-utils # not required with 2.12
+ $ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
- $ sudo apt-get install quilt pyflakes pyflakes3
- $ apt-get source apparmor
+ $ sudo apt-get install quilt pyflakes pyflakes3 # pyflakes3 on xenial and
higher
+ $ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
+
+ This assumes test case #0 has been performed.
+
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently
fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and
/etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and
/etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes
b/w (C)lean profiles / Abo(r)t
<PRESS 's'>
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and
/tmp/test2 includes were not removed (it is ok that they are both
'#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global
/tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new
/tmp/aa-mergeprof/old/tmp.lp1733700
...
[1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
[1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew /
Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$
Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime
(old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/cat rix,
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
Note that the original description said that changing the rule from
'include' to '#include' fixed the issue when in reality it only allowed
the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include',
but the python tools only understand '#include'. This manifested itself in
Ubuntu in bug #1734038 (see
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of
that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file
/etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file
/etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1733700
Title:
python tools do not understand 'non-magic' include rules
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1733700/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
