deny rules not enforced in complain mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
In theory, deny rules should be enforced even in complain mode.
In practise, they aren't...
# echo 'profile test { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied
# echo 'profile test (audit) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied
# echo 'profile test (complain) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p test touch /tmp/foo
## /tmp/foo gets created
# echo 'profile test (complain, audit) { file, deny /tmp/foo rw, }' | apparmor_parser -r ; aa-exec -p
## /tmp/foo gets created
This happens with kernel 4.5.3 on openSUSE Tumbleweed, using the 2.11 beta1 apparmor_parser.
description: | updated |
On Ubuntu 20.04 (apparmor 2.13.3, kernel 5.4.0-14. 17-generic) without audit, it is now enforced:
$ rm -f /tmp/foo ; echo 'profile test (complain) { file, deny /tmp/foo rw, }' | sudo apparmor_parser -r ; aa-exec -p test touch /tmp/foo ; ls /tmp/foo
touch: cannot touch '/tmp/foo': Permission denied
ls: cannot access '/tmp/foo': No such file or directory
but with audit, they still are not:
$ rm -f /tmp/foo ; echo 'profile test (complain, audit) { file, deny /tmp/foo rw, }' | sudo apparmor_parser -r ; aa-exec -p test touch /tmp/foo ; ls /tmp/foo
/tmp/foo