deny rules not enforced in complain mode

Bug #1580369 reported by Christian Boltz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

In theory, deny rules should be enforced even in complain mode.

In practise, they aren't...

# echo 'profile test { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied

# echo 'profile test (audit) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied

# echo 'profile test (complain) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
## /tmp/foo gets created

# echo 'profile test (complain, audit) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p
## /tmp/foo gets created

This happens with kernel 4.5.3 on openSUSE Tumbleweed, using the 2.11 beta1 apparmor_parser.

Christian Boltz (cboltz)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

On Ubuntu 20.04 (apparmor 2.13.3, kernel 5.4.0-14.17-generic) without audit, it is now enforced:

$ rm -f /tmp/foo ; echo 'profile test (complain) { file, deny /tmp/foo rw, }' | sudo apparmor_parser -r ; aa-exec -p test touch /tmp/foo ; ls /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied
ls: cannot access '/tmp/foo': No such file or directory

but with audit, they still are not:

$ rm -f /tmp/foo ; echo 'profile test (complain, audit) { file, deny /tmp/foo rw, }' | sudo apparmor_parser -r ; aa-exec -p test touch /tmp/foo ; ls /tmp/foo
/tmp/foo

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.