aa-logprof "new path" confirmation incorrect with filenames including metacharacters
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Expired
|
Undecided
|
Unassigned |
Bug Description
The debsums program needed to access some data in /tmp/dQK_
When writing the profile with aa-logprof, I used the New functionality to replace the random-looking content with an * and got the following funny messages:
| Profile: /usr/bin/debsums
| Path: /tmp/dQK_
| Old Mode: r
| New Mode: rw
| Severity: unknown
|
|
| [1 - /tmp/dQK_
| 2 - /**
|
| [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
| Enter new path: /tmp/*/g\+\+/
|
| The specified path does not match this log entry:
|
| Log Entry: /tmp/dQK_
| Entered Path: /tmp/*/g\+\+/
|
| Do you really want to use this path?
|
|
| (Y)es / [(N)o]
There's a few oddities here; first, the Filename: line is showing an _escaped_ version of the filename rather than the raw filename. Second, the "specified path does not match this log entry" check appears to be checking against the escaped version of the name, and not the filename that was actually referenced. (I used the readline facility to replace only the random-looking content with an asterisk, so I'm confident I didn't screw it up.)
I'm not sure which specific audit entries generated these questions, but some of the lines from the log file:
type=AVC msg=audit(
type=AVC msg=audit(
You can recreate this through a slightly complicated set of steps:
cd /tmp
cp /bin/cat /tmp/cat
mkdir -p foo/g++
echo foo > foo/g++/foo
aa-genprof /tmp/cat
/tmp/cat foo/g++/foo
Replace the first 'foo' with a '*' using the New option, and you'll be able to see this yourself.
ii apparmor 2.7.102-0ubuntu3 User-space parser utility for AppArmor
ii apparmor-utils 2.7.102-0ubuntu3 Utilities for controlling AppArmor
tags: | added: aa-tools |
Does this affect newer apparmor releases?