AppArmor

deny rules not enforced in complain mode

Bug #1580369 reported by Christian Boltz on 2016-05-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

In theory, deny rules should be enforced even in complain mode.

In practise, they aren't...

# echo 'profile test { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied

# echo 'profile test (audit) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied

# echo 'profile test (complain) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
## /tmp/foo gets created

# echo 'profile test (complain, audit) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p
## /tmp/foo gets created

This happens with kernel 4.5.3 on openSUSE Tumbleweed, using the 2.11 beta1 apparmor_parser.

See original description

Tags:

Christian Boltz (cboltz) on 2016-05-10

description:

updated

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-02-21:

On Ubuntu 20.04 (apparmor 2.13.3, kernel 5.4.0-14.17-generic) without audit, it is now enforced:

$ rm -f /tmp/foo ; echo 'profile test (complain) { file, deny /tmp/foo rw, }' | sudo apparmor_parser -r ; aa-exec -p test touch /tmp/foo ; ls /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied
ls: cannot access '/tmp/foo': No such file or directory

but with audit, they still are not:

$ rm -f /tmp/foo ; echo 'profile test (complain, audit) { file, deny /tmp/foo rw, }' | sudo apparmor_parser -r ; aa-exec -p test touch /tmp/foo ; ls /tmp/foo
/tmp/foo

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.