parser doesn't catch conflicting change_profile exec modes (safe/unsafe)

Bug #1588069 reported by Tyler Hicks on 2016-06-01
This bug affects 1 person
Affects Status Importance Assigned to Milestone
John Johansen
apparmor (Ubuntu)
Tyler Hicks

Bug Description


Applications which use libapparmor's aa_change_onexec() to set up an AppArmor profile transition across an upcoming exec() could not pre-initialize the environment up until the upstream fix for bug #1584069 was in place. That upstream fix had a flaw in that conflicting safe/unsafe change_profile transitions were allowed by apparmor_parser. apparmor_parser should detect conflicting rules and fail to compile the profile.

[Test Case]

The upstream fix for this bug includes exhaustive tests for conflicting safe/unsafe change_profile transitions. These tests run at build time.

If a manual test is desired, see the original report below for steps.

[Regression Potential]

Regression potential for this change is small since it is actually a bug fix for the changes introduced in bug #1584069. The regression potential for the changes for bug #1584069 are considerable and listed in that bug report.

[Original Report]

The ability to specify change_profile exec modes (safe/unsafe) is a recently merged feature. A missing piece is that the parser doesn't detect conflicting exec modes on the same exec condition. The following profile should fail to compile:

/t {
  change_profile safe /foo -> /bar,
  change_profile unsafe /foo -> /bar,

Tyler Hicks (tyhicks) wrote :
Changed in apparmor:
status: New → In Progress
Tyler Hicks (tyhicks) wrote :

committed upstream as r3478

Changed in apparmor:
status: In Progress → Fix Committed
Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → High
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.10.95-4ubuntu2

apparmor (2.10.95-4ubuntu2) yakkety; urgency=medium

  * Drop the following change now that click-apparmor has been updated:
    - Continue installing aa-exec into /usr/sbin/ for now since
      click-apparmor's aa-exec-click autopkgtest expects it to be there
  * debian/patches/allow-stacking-tests-to-use-system.patch,
    debian/patches/r3430-allow-stacking-tests-to-use-system.patch: Replace
    patch with the final version that landed upstream and annotate the patch
    headers accordingly
  * debian/patches/r3460-ignore-file-events-with-send-or-receive-request.patch:
    Prevent an aa-logprof crash by ignoring file events that contains
    send or receive in the request mask. (LP: #1577051, LP: #1582374)
  * debian/patches/r3463-r3475-change-profile-exec-modes.patch: Allow policy
    authors to specify if the environment should scrubbed during exec
    transitions allowed by a change_profile rule. (LP: #1584069)
  * debian/patches/r3478-make-overlapping-safe-and-unsafe-rules-conflict.patch:
    Make sure that multiple change_profile rules with overlapping safe and
    unsafe exec modes conflict when they share the same exec conditional
    (LP: #1588069)
  * debian/patches/r3479-create-fcitx-abstractions.patch: Include fcitx and
    fcitx-strict abstractions that fcitx client profiles can reuse.
  * debian/control: Do a conffile move of /etc/apparmor.d/abstractions/fcitx
    from the fcitx-data to apparmor by setting up the correct Breaks and
  * debian/patches/r3480-create-mozc-abstraction.patch: Include a mozc
    abstraction that mozc client profiles can reuse.
  * debian/patches/r3488-r3489-fix-racy-onexec-test.patch: Fix racy regression
    test so that the kernel SRU process is not interrupted by the
    periodically failing
  * debian/patches/r3490-utils-handle-change-profile-exec-modes.patch: Update
    the Python utilities to handle the new exec mode keywords in
    change_profile rules. (LP: #1584069)
  * debian/patches/r3492-allow-dbus-user-session-path.patch: Allow read/write
    access to the dbus-user-session socket file. (LP: #1604872)

 -- Tyler Hicks <email address hidden> Tue, 26 Jul 2016 23:03:05 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Martin Pitt (pitti) on 2016-07-29
Changed in apparmor (Ubuntu Xenial):
status: New → Fix Committed
Tyler Hicks (tyhicks) on 2016-08-08
description: updated
Tyler Hicks (tyhicks) wrote :

The build tests succeed and I've verified that the manual test in the original description fails to compile.

description: updated
tags: added: aa-parser verification-done
Christian Boltz (cboltz) wrote :

Fixed in AppArmor 2.11

Changed in apparmor:
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) wrote :

This was fixed in Ubuntu 16.04 LTS in apparmor 2.10.95-0ubuntu2.2 (including the changes in 2.10.95-0ubuntu2.1, which was superceded in xenial-proposed by 2.10.95-0ubuntu2.2). Marking that task closed.

Changed in apparmor (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers