apparmor_parser does not correctly handle profile namespaces when 'profile' keyword is used

Bug #1544387 reported by Tyler Hicks on 2016-02-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Medium
Tyler Hicks

Bug Description

When the 'profile' keyword is used at the beginning of a profile declaration, namespace creation is not handled properly. Instead of :namespace:p being split into 'namespace' for the name of the namespace and 'p' for the name of the profile, a profile called ':namespace:p' is created.

$ echo "profile :namespace:p {}" | sudo apparmor_parser -qr
$ stat /sys/kernel/security/apparmor/policy/namespaces/namespace
stat: cannot stat ‘/sys/kernel/security/apparmor/policy/namespaces/namespace’: No such file or directory
$ stat /sys/kernel/security/apparmor/policy/profiles/namespacep*
  File: ‘/sys/kernel/security/apparmor/policy/profiles/namespacep.26’
  Size: 0 Blocks: 0 IO Block: 4096 directory
Device: ch/12d Inode: 18374 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-02-10 20:19:47.296817210 -0600
Modify: 2016-02-10 20:20:06.336742155 -0600
Change: 2016-02-10 20:19:47.296817210 -0600
 Birth: -

Dropping the 'profile' keyword results in the namespace being properly created:

$ echo ":namespace:p {}" | sudo apparmor_parser -qr
$ stat /sys/kernel/security/apparmor/policy/namespaces/namespace
  File: ‘/sys/kernel/security/apparmor/policy/namespaces/namespace’
  Size: 0 Blocks: 0 IO Block: 4096 directory
Device: ch/12d Inode: 18716 Links: 4
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-02-10 20:24:20.271897231 -0600
Modify: 2016-02-10 20:24:20.271897231 -0600
Change: 2016-02-10 20:24:20.271897231 -0600
 Birth: -

Tyler Hicks (tyhicks) on 2016-02-11
description: updated
Tyler Hicks (tyhicks) on 2016-02-11
Changed in apparmor:
status: Confirmed → In Progress
importance: High → Medium
Tyler Hicks (tyhicks) wrote :
Changed in apparmor:
status: In Progress → Fix Committed
Christian Boltz (cboltz) wrote :

Fixed in AppArmor 2.11

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers