alternation with globs sometimes allows directory writes when it shouldn't
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
Consider the following profile:
#include <tunables/global>
# HISTFILE=/dev/null aa-exec -p test -- /bin/bash --norc
profile test {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/
/dev/tty rw,
/{,usr/}bin/ls ixr,
/{,usr/}bin/mkdir ixr,
/{,usr/}bin/rm ixr,
/{,usr/}bin/touch ixr,
# fine: mkdir /tmp/foo/bar/ denied
#/tmp/foo/bar/ r,
#/tmp/foo/bar/* rw,
# bad: allows mkdir /tmp/foo/bar/
/tmp/
#/tmp/
#/tmp/
#/tmp/
}
With each of the rules under 'bad', the confined process is able to mkdir /tmp/foo/bar successfully. Tested on Ubuntu 12.04 (apparmor 2.7) through 18.04 LTS (apparmor 2.12).
Eg:
$ cd /tmp ; rm -rf /tmp/foo/* ; sudo apparmor_parser -r /tmp/apparmor.
$ ls -d /tmp/foo/bar
/tmp/foo/bar
On the face of it, it looks like the confusion is coming in with rules of the form {*,something/}.
description: | updated |
description: | updated |
summary: |
- alternation with globs allows directory writes when it shouldn't + alternation with globs sometimes allows directory writes when it + shouldn't |
this is a compiler issue, with how directory entries with a trailing alternation a compiled.