** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1609885
Title:
exec transitions to profiles with '.' in name don't work
Status in AppArmor:
New
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Yakkety:
Incomplete
Bug description:
If a child profile has '.' in the name, then the parser fails to compile the
policy:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found
unexpected character: '.'
If put a child profile with '.' in the name in a variable, the parser
compiles the policy but the exec transition fails:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
/tmp/with.dots: 3: /tmp/with.dots: cat: Permission denied
denial is:
apparmor="DENIED" operation="exec" info="profile transition not found"
error=-13 profile="test" name="/bin/cat" pid=18219 comm="with.dots"
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
$ cat /tmp/test.sh
#!/bin/sh
cat /proc/version
$ cat /tmp/profile
#include <tunables/global>
@{TARGET_PROFILE}="with.dots"
profile test {
#include <abstractions/base>
#include <abstractions/bash>
/tmp/test.sh r,
# parser error:
# AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found
# unexpected character: '.'
/{,usr/}bin/cat cx -> with.dots,
# fail to transition:
# apparmor="DENIED" operation="exec" info="profile transition not found"
# error=-13 profile="test" name="/bin/cat" pid=18105 comm="with.dots"
# requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
#/{,usr/}bin/cat cx -> @{TARGET_PROFILE},
# ok
#/{,usr/}bin/cat cx -> no_dots,
profile with.dots {
#include <abstractions/base>
@{PROC}/version r,
/{,usr/}bin/cat r,
}
profile no_dots {
#include <abstractions/base>
@{PROC}/version r,
/{,usr/}bin/cat r,
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1609885/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
