AppArmor

ix exec stack transition parses when it shouldn't

Bug #1696547 reported by Jamie Strandboge on 2017-06-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

$ cat /tmp/foo

#include <tunables/global>

profile foo {}

profile test {
#include <abstractions/base>

/foo/** ix -> @{profile_name}//&foo,
}

In this, the 'ix' transition to '@{profile_name}//&foo' makes no sense. In today's implementation, ix rules only support relative transitions but '@{profile_name}//&foo' is a direct transition. Today, the above parses and the exec is allowed, but the profile reported by ps -Z is 'test', not 'test//&foo'.

In discussing this bug it was decided that ix exec stack transitions will be obsoleted. Feel free to use this bug to track that.

See original description

Jamie Strandboge (jdstrand) on 2017-06-07

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.