Use of px and pux transition in same profile results in wrong transition

Bug #693082 reported by John Johansen on 2010-12-21
268
This bug affects 3 people
Affects Status Importance Assigned to Milestone
AppArmor
Status tracked in Master
2.5
Medium
Unassigned
Master
Medium
Unassigned
apparmor (Ubuntu)
Medium
John Johansen
Karmic
Medium
Jamie Strandboge
Lucid
Medium
Jamie Strandboge
Maverick
Medium
Jamie Strandboge
Natty
Medium
John Johansen

Bug Description

SRU Justification:

Impact: This bug can result in tasks becoming unexpectedly unconfined when policy is misconfigured.

Fix: The supplied patches are backported from the upstream fix that is in Natty.

Testcase: This bug can be tested in two ways.
Method 1: The apparmor_parser merge conflict checker can be used to detect this bug, as the checker will fail to detect the merge conflict. This can be tested with the following profile (and all other combinations).
  profile test {
    /foo** Px,
    /foo*bar Pux,
  }

This test and all possible combinations of it are the tests generated by the gen_xtrans.pl script that the attached patch adds to the test suite.

Method 2: Load profiles into the kernel and test execs follow correct attachment. This requires setting up a profile, and ensuring the transition targets don't have profiles loaded into the kernel. The basic form of the profile needs to be
  /bin/test/app {
     #...

     /bin/a Pux,
     /bin/b Px,
  }

  it is important that the /bin/a program is sorted before /bin/b in the C locale.

  The test app should call /bin/b, if the bug is present then the transition from the /bin/test/app profile will fail as there is no profile defined for /bin/b, but because of the bug apparmor will fall back to unconfined. This can be checked using aa-status, which should show /bin/b as not being confined by a profile.

---

When the combination of px, pux or cx, cux or any of their safe, or named profile transition counterparts appear in a profile together, the transition is handled incorrectly.
  If px appears before pux then all pux transitions become px
  If pux appears before px then all px transitions become pux transitions

The same thing happens for (Px, Pux). (Cx, Cux), etc.

Jamie Strandboge (jdstrand) wrote :

Patch in r1587 of apparmor trunk (2.6 series). Natty not affected.

Changed in apparmor (Ubuntu Natty):
status: New → Invalid
Changed in apparmor (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Karmic):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

John, I'll get these fixed in the stable releases if you can give/confirm patches against 2.5 and 2.3 (karmic).

Changed in apparmor (Ubuntu Natty):
status: Invalid → Fix Released
importance: Undecided → Medium
assignee: nobody → John Johansen (jjohansen)
Changed in apparmor:
status: New → Triaged
importance: Undecided → Medium
John Johansen (jjohansen) wrote :
John Johansen (jjohansen) wrote :
description: updated
description: updated
Changed in apparmor (Ubuntu Lucid):
status: Triaged → In Progress
Changed in apparmor (Ubuntu Maverick):
status: Triaged → In Progress
Changed in apparmor (Ubuntu Karmic):
status: Triaged → In Progress
visibility: private → public
Jamie Strandboge (jdstrand) wrote :

Uploaded patched packages for karmic, lucid and maverick to the security PPA.

Changed in apparmor (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in apparmor (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in apparmor (Ubuntu Karmic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.10.3

---------------
apparmor (2.5.1-0ubuntu0.10.10.3) maverick-security; urgency=low

  * Fix for apparmor_parser not generating correct policy when mixing exec
    transitions with and without unconfined fallback transitions.
    - debian/patches/0011-lp693082.patch: adjust dfa match flag table size
      and fix index calculation for pux and cux.
    - LP: #693082
 -- Jamie Strandboge <email address hidden> Wed, 05 Jan 2011 12:23:53 -0600

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.2

---------------
apparmor (2.5.1-0ubuntu0.10.04.2) lucid-security; urgency=low

  * Fix for apparmor_parser not generating correct policy when mixing exec
    transitions with and without unconfined fallback transitions.
    - debian/patches/0013-lp693082.patch: adjust dfa match flag table size
      and fix index calculation for pux and cux.
    - LP: #693082
 -- Jamie Strandboge <email address hidden> Wed, 05 Jan 2011 12:15:29 -0600

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu27.4

---------------
apparmor (2.3.1+1403-0ubuntu27.4) karmic-security; urgency=low

  * Fix for apparmor_parser not generating correct policy when mixing exec
    transitions with and without unconfined fallback transitions.
    - parser/immunix.h, parser/libapparmor_re/regexp.y: adjust dfa match flag
      table size and fix index calculation for pux and cux.
    - parser/tst/Makefile, parser/tst/gen-xtrans.pl,
      parser/tst/simple_tests/generated_x/readme: add comprehensive test cases
    - LP: #693082
  * debian/control: Build-Depends on libpam0g-dev
 -- Jamie Strandboge <email address hidden> Wed, 05 Jan 2011 12:25:20 -0600

Changed in apparmor (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Maverick):
status: Fix Committed → Fix Released
Mile (milevu) on 2011-01-23
Changed in apparmor (Ubuntu Maverick):
assignee: Jamie Strandboge (jdstrand) → Mile (milevu)
Mile (milevu) on 2011-01-23
Changed in apparmor (Ubuntu Maverick):
assignee: Mile (milevu) → nobody
Changed in apparmor (Ubuntu Maverick):
assignee: nobody → Jamie Strandboge (jdstrand)
ROOTMAN MR (xrootmanx) on 2011-02-05
Changed in apparmor (Ubuntu Karmic):
assignee: Jamie Strandboge (jdstrand) → ROOTMAN MR (xrootmanx)
Changed in apparmor (Ubuntu Karmic):
assignee: ROOTMAN MR (xrootmanx) → Jamie Strandboge (jdstrand)
Steve Beattie (sbeattie) wrote :

The fix for this issue has been committed to both the apparmor-2.5 branch (rev 1443) and trunk (rev 1587) and will be in the forthcoming 2.5.2 and 2.6.0 AppArmor releases.

Steve Beattie (sbeattie) wrote :

Closing, apparmor 2.6.0 and 2.5.2 were released.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers