misleading name= for profile load, replacement, messages, for nested profiles

Bug #1477356 reported by Seth Arnold
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

There's misleading name reported for loading nested profiles:

#include <tunables/global>

/does/not/exist {
 #include <abstractions/base>

 /bin/true rCx,
 profile /bin/true {
  #include <abstractions/base>
  /bin/true m,
 }
}

This is in both apparmor_parser and in the kernel interface:

$ sudo apparmor_parser --verbose --replace /etc/apparmor.d/nested
Replacement succeeded for "/bin/true".
Replacement succeeded for "/does/not/exist".

I expect "/does/not/exist//bin/true" instead of "/bin/true".

type=AVC msg=audit(1437614508.240:1980): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/does/not/exist" pid=5705 comm="apparmor_parser"
type=SYSCALL msg=audit(1437614508.240:1980): arch=c000003e syscall=1 success=yes exit=13617 a0=3 a1=1109fa8 a2=3531 a3=7ffc83935bf0 items=0 ppid=5704 pid=5705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts37 ses=4294967295 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
type=AVC msg=audit(1437614508.248:1981): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/bin/true" pid=5705 comm="apparmor_parser"
type=SYSCALL msg=audit(1437614508.248:1981): arch=c000003e syscall=1 success=yes exit=13553 a0=3 a1=11177b8 a2=34f1 a3=ffffffffffff27f0 items=0 ppid=5704 pid=5705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts37 ses=4294967295 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)

It is also incorrect without auditd running, originally this was discovered by maslen: http://pastebin.com/2DEYiXWf

Linux hunt 3.13.0-57-generic #95-Ubuntu SMP Fri Jun 19 09:28:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
2.8.95~2430-0ubuntu5.2

Thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :

The correct profiles are loaded:

$ sudo grep exist /sys/kernel/security/apparmor/profiles
/does/not/exist (enforce)
/does/not/exist///bin/true (enforce)

This is a cosmetic issue, though potentially very confusing.

Christian Boltz (cboltz)
tags: added: aa-kernel aa-parser
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.