AppArmor

aa-logprof "new path" confirmation incorrect with filenames including metacharacters

Bug #1001024 reported by Seth Arnold
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Expired
Undecided
Unassigned

Bug Description

The debsums program needed to access some data in /tmp/dQK_wRVzCn/g++/ in the course of its checksumming.

When writing the profile with aa-logprof, I used the New functionality to replace the random-looking content with an * and got the following funny messages:

| Profile: /usr/bin/debsums
| Path: /tmp/dQK_wRVzCn/g\+\+/
| Old Mode: r
| New Mode: rw
| Severity: unknown
|
|
| [1 - /tmp/dQK_wRVzCn/g\+\+/]
| 2 - /**
|
| [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
| Enter new path: /tmp/*/g\+\+/
|
| The specified path does not match this log entry:
|
| Log Entry: /tmp/dQK_wRVzCn/g\+\+/
| Entered Path: /tmp/*/g\+\+/
|
| Do you really want to use this path?
|
|
| (Y)es / [(N)o]

There's a few oddities here; first, the Filename: line is showing an _escaped_ version of the filename rather than the raw filename. Second, the "specified path does not match this log entry" check appears to be checking against the escaped version of the name, and not the filename that was actually referenced. (I used the readline facility to replace only the random-looking content with an asterisk, so I'm confident I didn't screw it up.)

I'm not sure which specific audit entries generated these questions, but some of the lines from the log file:

type=AVC msg=audit(1337117164.559:422): apparmor="ALLOWED" operation="mkdir" parent=15532 profile="/usr/bin/debsums//null-30" name="/tmp/dQK_wRVzCn/g++/" pid=15535 comm="dpkg-deb" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
type=AVC msg=audit(1337117164.559:461): apparmor="ALLOWED" operation="getattr" parent=15532 profile="/usr/bin/debsums//null-30//null-31" name="/tmp/dQK_wRVzCn/g++/" pid=15535 comm="tar" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

You can recreate this through a slightly complicated set of steps:

cd /tmp
cp /bin/cat /tmp/cat
mkdir -p foo/g++
echo foo > foo/g++/foo
aa-genprof /tmp/cat
/tmp/cat foo/g++/foo

Replace the first 'foo' with a '*' using the New option, and you'll be able to see this yourself.

ii apparmor 2.7.102-0ubuntu3 User-space parser utility for AppArmor
ii apparmor-utils 2.7.102-0ubuntu3 Utilities for controlling AppArmor

Tags: aa-tools
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Does this affect newer apparmor releases?

Changed in apparmor:
status: New → Incomplete
Jamie Strandboge (jdstrand)
tags: added: aa-tools
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for AppArmor because there has been no activity for 60 days.]

Changed in apparmor:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.