exec transitions to profiles with '.' in name don't work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned | ||
Xenial |
Fix Committed
|
Undecided
|
Unassigned | ||
Yakkety |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
If a child profile has '.' in the name, then the parser fails to compile the policy:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found unexpected character: '.'
If put a child profile with '.' in the name in a variable, the parser compiles the policy but the exec transition fails:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
/tmp/with.dots: 3: /tmp/with.dots: cat: Permission denied
denial is:
apparmor="DENIED" operation="exec" info="profile transition not found" error=-13 profile="test" name="/bin/cat" pid=18219 comm="with.dots" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
$ cat /tmp/test.sh
#!/bin/sh
cat /proc/version
$ cat /tmp/profile
#include <tunables/global>
@{TARGET_
profile test {
#include <abstractions/base>
#include <abstractions/bash>
/tmp/test.sh r,
# parser error:
# AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found
# unexpected character: '.'
/{,usr/}bin/cat cx -> with.dots,
# fail to transition:
# apparmor="DENIED" operation="exec" info="profile transition not found"
# error=-13 profile="test" name="/bin/cat" pid=18105 comm="with.dots"
# requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
#/{,usr/}bin/cat cx -> @{TARGET_PROFILE},
# ok
#/{,usr/}bin/cat cx -> no_dots,
profile with.dots {
#include <abstractions/base>
@{PROC}/version r,
/{,usr/}bin/cat r,
}
profile no_dots {
#include <abstractions/base>
@{PROC}/version r,
/{,usr/}bin/cat r,
}
}
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Xenial): | |
status: | New → Fix Committed |
tags: | added: aa-parser |
Note, this came about from trying to do policy like this:
profile snap.foo.bar { DIR}/@{ SNAP_NAME} /@{SNAP_ REVISION} /baz cx -> baz,
@{INSTALL_
profile baz { DIR}/@{ SNAP_NAME} /@{SNAP_ REVISION} /bar cx -> snap.foo.bar,
@{INSTALL_
}
}