Exec to sub-profile doesnt work right when parent profile name has a variable in it
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
2.10.95.bzr.3440-1
given a profile similar to this
#include <globals/global>
@{some_path}=opt
profile "/@{some_
#include <base/extra>
/usr/
profile bash_ext {
/usr/bin/true mixr,
}
}
after transitioning to profile you cannot run bash/sh:
audit: type=1400 audit(147218998
transition-user --drop=false --lock=false --nnp=false --systemd=false --apparmor=
# /usr/bin/sleep
/usr/bin/dash: 1: /usr/bin/sleep: Permission denied
# /usr/bin/dash
/usr/bin/dash: 2: /usr/bin/dash: Permission denied
# /usr/bin/bash
/usr/bin/dash: 3: /usr/bin/bash: not found
# /usr/bin/sh
/usr/bin/dash: 4: /usr/bin/sh: not found
# /usr/bin/zsh
/usr/bin/dash: 5: /usr/bin/zsh: Permission denied
so you get ENOENT for the bash binary until you remove the variable and reload.
tags: | added: aa-parser |
Yep, I could reproduce this on Ubuntu 18.04 LTS as well with apparmor 2.12-4ubuntu5, so this is still an annoying bug...Apparently removing the variables from the parent profile fixes the problem.