Mount and D-Bus rules aren't being optimized correctly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Medium
|
John Johansen | ||
apparmor (Ubuntu) |
Fix Released
|
Medium
|
Tyler Hicks |
Bug Description
I noticed that mount and dbus rules weren't being optimized correctly when a more permissive rule follows. For example, 'mount fstype=foo, mount' should result in the 'mount fstype=foo,' rule being optimized away. That rule is currently not optimized away and, oddly enough, the last 'o' in foo is truncated.
Here's a more clear example with ext2 and ext3 fstypes:
$ echo "/t { mount fstype=ext2, mount, }" | apparmor_parser -qQD dfa-states 2>ext2
$ echo "/t { mount fstype=ext3, mount, }" | apparmor_parser -qQD dfa-states 2>ext3
$ md5sum ext2 ext3
e5d4e0b335b1bb5
e5d4e0b335b1bb5
$ cat ext2
{1} <== (allow/
{6} (0x 2/0/0/0)
{1} -> {2}: 0x7
{2} -> {3}: 0x0
{2} -> {2}: []
{3} -> {4}: 0x0
{3} -> {3}: []
{4} -> {6}: 0x0
{4} -> {7}: 0x65 e
{4} -> {5}: []
{5} -> {6}: 0x0
{5} -> {5}: []
{6} (0x 2/0/0/0) -> {6}: [^\0x0]
{7} -> {6}: 0x0
{7} -> {8}: 0x78 x
{7} -> {5}: []
{8} -> {6}: 0x0
{8} -> {5}: 0x74 t
{8} -> {5}: []
While the md5sum of the ext2 and ext3 files should be equal, they should not contain any remnants of the fstype=ext2 or fstype=ext3 conditional.
Off the top of his head, JJ thinks that it has to do with the DFA minimization in parser/
Related branches
description: | updated |
Changed in apparmor (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in apparmor: | |
assignee: | Tyler Hicks (tyhicks) → John Johansen (jjohansen) |
Changed in apparmor: | |
status: | Fix Committed → Fix Released |
This was addressed in http:// bazaar. launchpad. net/~apparmor- dev/apparmor/ master/ revision/ 2302 (though for cherry-pickers, please note the following few commits that fix bugs this patch exposed).