Thanks to Timo's help on irc, we were able to debug this a little
further.
The parser, when loading the policies, fails with the following strace:
open("/sys/kernel/security/apparmor/.load", O_WRONLY) = 3
write(3, "\4\10\0version\0\2\5\0\0\0\4\10\0profile\0\7\5\22\0/u"..., 31321) =
-1 EACCES (Permission denied)
The only reason I see for the write to return this, in looking at the
apparmorfs.c code, is due to the calling process being confined, either in
complain or enforce mode (the parser was definitely running as root, the open()
succeeded and the parser aborts early if it's not). Timo confirmed this was the
case with
'cat /proc/self/attr/current' returning 'null-complain-profile' instead of the
expected 'unconfined'.
(The null-complain-profile is normally attached to processes that are
exec()ed from processes in complain mode, as the kernel code doesn't
know whether the admin will choose to make a separate policy or roll it
in to calling process' profile.)
One of the policies Timo was working on was one for sshd (and he
confirmed that he was reloading policy over ssh); however, I'm unable to
reproduce the behavior by taking the sshd profile shipped in the
apparmor-profiles package and putting it in complain mode; the resulting
shell is still listed as unconfined. I also note that the original
reporter's information indicated no profile for sshd.
There have been bugs in the past with apparmor mistakenly applying the
null-complain-profile in situations where it shouldn't; it's possible
that that is what's happening here.
> Also found that the apparmor_parser doesn't handle some of the flags,
> --Complain and -d seen below, mentioned in the help text.
Dur. --complain got mis-documented as having the uppercase C; I've fixed
the upstream code to support either. The -d argument is more for
apparmor developers, you'll get output if you do -dd, though again I've
fixed the upstream code to emit that with only one -d. (It will also
emit debugging statements if they've been enabled at compile time, but
it's not really well supported.)
--
jaunty: Apparmor doesn't parse logs and doesnt generally work.
https://bugs.launchpad.net/bugs/341205
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
