Hello,
are hat declarations like
/foo {
^hat,
}
still allowed/valid? The tools accept them, but the 2.9.2 parser errors
out with unexpected TOK_END_OF_RULE, expecting TOK_OPEN
I'm asking because I found an interesting bug:
If you have this profile
/foo {
^hat,
^hat {
network,
}
}
and save it (for example via aa-cleanprof, "view changes" is enough), the
^hat,
line is dropped. No problem so far.
Unfortunately if you have
/foo {
^hat {
network,
}
^hat,
}
you will end up with
/foo {
^hat,
}
(last one wins!)
and that is clearly something you don't want.
This is caused by the 'declared' flag and how write_piece() in aa.py handles it:
if profile_data[hat].get('declared', False):
data.append('%s^%s,' % (pre2, hat))
...
if not profile_data[hat]['external'] and not
profile_data[hat]['declared']:
# write hat with content
So before I start fixing that bug, I'd like to know if
^hat,
is still allowed - if not, removing the code for it would be the easiest
solution.
Oh, and I found all this while hunting down another bug ;-)
To make things more interesting, that other bug crashes aa-cleanprof
80% of the time, but it works well 20% of the time with exactly the same
profile directory.
The test profile is attached to this mail. Store it in an empty directory,
add symlinks to abstractions and tunables and run (using latest bzr
trunk of course)
python3 aa-cleanprof -d /your/test/directory/ /usr/sbin/sshd
Questions are:
- can you reproduce the crash? (should be easy)
- does it work sometimes? (as in "you can view the changes")
- most interesting (and difficult) question: WHY doesn't it crash 20%
of the time? (Try to find this out only if you have some free time ;-)
On the positive side, I'm just testing a (quite intrusive, sorry) patch
that fixes it in 100% of the time :-)
Regards,
Christian Boltz
--
<dvratil_> :-) this is how we fix bugs in Akonadi...
we just wait for them to disappear :P
[from #kontact]
# Last Modified: Sun Mar 15 21:58:08 2015
#include <tunables/global>
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# will need to revalidate this profile once we finish re-architecting
# the change_hat patch.
#
/usr/sbin/sshd {
capability audit_control,
capability audit_write,
audit capability chown,
deny capability fowner,
capability kill,
# capability,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
capability sys_tty_config,
/bin/ash rUx,
/bin/bash rUx,
/bin/bash2 rUx,
/bin/bsh rUx,
/bin/csh rUx,
/bin/ksh rUx,
/bin/sh rUx,
/bin/tcsh rUx,
/bin/zsh rUx,
/dev/ptmx rw,
/dev/pts/[0-9]* rw,
/dev/urandom r,
/etc/environment r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/modules.conf r,
/etc/motd r,
/etc/ssh/* r,
/etc/ssh/moduli r,
/etc/ssl/openssl.cnf r,
/home/sys-var/run/sshd.init.pid w,
/proc/*/loginuid r,
/proc/*/oom_adj rw,
/proc/*/oom_score_adj rw,
/proc/*/uid_map r,
/sbin/nologin rUx,
/tmp/ssh-*/agent.[0-9]* rwl,
/tmp/ssh-*[0-9]*/ w,
/usr/sbin/sshd mrix,
/var/log/btmp r,
/var/log/lastlog k,
/var/run/sshd.pid w,
/{,var/}run w,
/{,var/}run/sshd{,.init}.pid wl,
@{HOME}/.ssh/authorized_keys{,2} r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/loginuid w,
@{PROC}/[0-9]*/mounts r,
@{PROC}/filesystems r,
^AUTHENTICATED {
#include <abstractions/authentication>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
capability setgid,
capability setuid,
capability sys_tty_config,
/dev/log w,
/dev/ptmx rw,
/etc/default/passwd r,
/etc/localtime r,
/etc/login.defs r,
/etc/motd r,
/tmp/ssh-*/agent.[0-9]* rwl,
/tmp/ssh-*[0-9]*/ w,
}
^EXEC {
#include <abstractions/base>
/bin/ash Ux,
/bin/bash Ux,
/bin/bash2 Ux,
/bin/bsh Ux,
/bin/csh Ux,
/bin/ksh Ux,
/bin/sh Ux,
/bin/tcsh Ux,
/bin/zsh Ux,
/sbin/nologin Ux,
}
^PRIVSEP {
#include <abstractions/base>
#include <abstractions/nameservice>
capability setgid,
capability setuid,
capability sys_chroot,
}
# deletes the content of ^PRIVSEP when saving the profile! (last one wins)
# additionally, the parser says this is invalid syntax
^PRIVSEP,
^PRIVSEP_MONITOR {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
capability chown,
capability setgid,
capability setuid,
/dev/ptmx rw,
/dev/pts/[0-9]* rw,
/dev/urandom r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/ssh/moduli r,
@{HOME}/.ssh/authorized_keys{,2} r,
@{PROC}/[0-9]*/mounts r,
}
}
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
