[Bug 1236455] Re: Running tasks are not subject to reloaded policies

Wed, 06 Nov 2013 15:36:25 -0800 

I made some slight adjustments to test.sh and found that the sha1 of the
loaded profile changes after reloading:

# ./test.sh 
usr.bin.serge.allow loaded, sha1 7e932d334f64e154a8749ded59787ce0f5dc0785
usr.bin.serge.deny loaded,  sha1 7045ef3e6721273fdb0bc8e556f4dd8b7136a7d7
failed

The audit messages logged at the same time:
type=AVC msg=audit(1383780124.809:900): apparmor="STATUS" 
operation="profile_load" parent=14173 profile="unconfined" 
name="/usr/bin/serge" pid=14176 comm="apparmor_parser"
type=SYSCALL msg=audit(1383780124.809:900): arch=c000003e syscall=1 success=yes 
exit=16785 a0=5 a1=ab8f00 a2=4191 a3=7fff0ec3b4c0 items=0 ppid=14173 pid=14176 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
ses=4294967295 tty=pts7 comm="apparmor_parser" exe="/sbin/apparmor_parser" 
key=(null)
type=AVC msg=audit(1383780124.913:901): apparmor="STATUS" 
operation="profile_replace" parent=14173 profile="unconfined" 
name="/usr/bin/serge" pid=14188 comm="apparmor_parser"
type=SYSCALL msg=audit(1383780124.913:901): arch=c000003e syscall=1 success=yes 
exit=16953 a0=5 a1=1b58f00 a2=4239 a3=7fff4b63f570 items=0 ppid=14173 pid=14188 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
ses=4294967295 tty=pts7 comm="apparmor_parser" exe="/sbin/apparmor_parser" 
key=(null)


Add these two lines after the first apparmor_parser load:
printf "usr.bin.serge.allow loaded, sha1 "
cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.serge.*/sha1

Add these two lines after the second apparmor_parser load:
printf "usr.bin.serge.deny loaded,  sha1 "
cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.serge.*/sha1

So I think this rules out caching inconsistencies.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1236455

Title:
  Running tasks are not subject to reloaded policies

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1236455/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to