Mount and D-Bus rules aren't being optimized correctly

Bug #1262938 reported by Tyler Hicks on 2013-12-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Medium
John Johansen
apparmor (Ubuntu)
Medium
Tyler Hicks

Bug Description

I noticed that mount and dbus rules weren't being optimized correctly when a more permissive rule follows. For example, 'mount fstype=foo, mount' should result in the 'mount fstype=foo,' rule being optimized away. That rule is currently not optimized away and, oddly enough, the last 'o' in foo is truncated.

Here's a more clear example with ext2 and ext3 fstypes:

$ echo "/t { mount fstype=ext2, mount, }" | apparmor_parser -qQD dfa-states 2>ext2
$ echo "/t { mount fstype=ext3, mount, }" | apparmor_parser -qQD dfa-states 2>ext3
$ md5sum ext2 ext3
e5d4e0b335b1bb530fbff8e0cdfa7337 ext2
e5d4e0b335b1bb530fbff8e0cdfa7337 ext3
$ cat ext2
{1} <== (allow/deny/audit/quiet)
{6} (0x 2/0/0/0)

{1} -> {2}: 0x7
{2} -> {3}: 0x0
{2} -> {2}: []
{3} -> {4}: 0x0
{3} -> {3}: []
{4} -> {6}: 0x0
{4} -> {7}: 0x65 e
{4} -> {5}: []
{5} -> {6}: 0x0
{5} -> {5}: []
{6} (0x 2/0/0/0) -> {6}: [^\0x0]
{7} -> {6}: 0x0
{7} -> {8}: 0x78 x
{7} -> {5}: []
{8} -> {6}: 0x0
{8} -> {5}: 0x74 t
{8} -> {5}: []

While the md5sum of the ext2 and ext3 files should be equal, they should not contain any remnants of the fstype=ext2 or fstype=ext3 conditional.

Off the top of his head, JJ thinks that it has to do with the DFA minimization in parser/libapparmor_re/hfa.cc.

Tyler Hicks (tyhicks) on 2013-12-20
description: updated
Steve Beattie (sbeattie) wrote :

This was addressed in http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/2302 (though for cherry-pickers, please note the following few commits that fix bugs this patch exposed).

Changed in apparmor:
status: Triaged → Fix Committed
Tyler Hicks (tyhicks) on 2014-01-13
Changed in apparmor (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Changed in apparmor:
assignee: Tyler Hicks (tyhicks) → John Johansen (jjohansen)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu38

---------------
apparmor (2.8.0-0ubuntu38) trusty; urgency=low

  [ Tyler Hicks ]
  * 0084-parser-add-dbus-eavesdrop-perm.patch: Add an eavesdrop permission to
    the dbus rule type, allowing confined applications to eavesdrop. The only
    valid conditional for eavesdrop rules is 'bus'. See the apparmor.d(5) man
    page for more information. (LP: #1262440)

  [ Steve Beattie ]
  * 0085-push-normalize-tree-ops-into-expr-tree-classes.patch: Improve
    parser performance in some cases

  [ John Johansen ]
  * 0086-add-diff-state-compression-to-dfa.patch: Implement differential
    state compression in the parser
  * 0087-fix-dfa-minimization.patch: Fix a parser bug that caused some DFAs to
    not be fully minimized (LP: #1262938)
  * 0088-fix-pol-generation-for-small-dfas.patch: Fixes bugs in the parser
    when generating policy for some small DFAs
 -- Tyler Hicks <email address hidden> Mon, 13 Jan 2014 11:17:42 -0600

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Christian Boltz (cboltz) on 2014-10-19
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers