Bug #1446794 “parser error with 'deny change_profile'” : Bugs : apparmor package : Ubuntu

Revision history for this message

Steve Beattie (sbeattie) wrote on 2015-07-22:

#1

AppArmor 2.10 has fixed the parsing issue; however, the policy generated does not actually deny the change_profile.

Revision history for this message

Steve Beattie (sbeattie) wrote on 2015-07-22:

#2

The following is a patch against the parser's policy equality and inequality test script that demonstrates that 'deny change_profile' policy is not being generated correctly:

Index: b/parser/tst/equality.sh
===================================================================
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -285,7 +285,8 @@ for rule in "capability" "capability mac
  "file /f r" "file /f w" "file /f rwmlk" \
  "link /a -> /b" "link subset /a -> /b" \
  "l /a -> /b" "l subset /a -> /b" \
- "file l /a -> /b" "l subset /a -> /b"
+ "file l /a -> /b" "l subset /a -> /b" \
+ "change_profile -> unconfined" "change_profile -> /**"
do
  verify_binary_equality "allow modifier for \"${rule}\"" \
   "/t { ${rule}, }" \

Revision history for this message

John Johansen (jjohansen) wrote on 2016-05-18:

#3

The deny modifier has been fixed in the 2.11 parser. However, the audit modifier is not properly supported by the backend permission format and will result in equality.sh failing

With the above patch to equality.sh, the failures all involve audit which is being silently dropped in permission encoding:

Binary inequality audit, deny, and audit deny modifiers for "change_profile -> unconfined"
FAIL: Hash values match
known-good (e01d6f3ba173df734864ab965521e195) == profile-under-test (e01d6f3ba173df734864ab965521e195) for the following profile:
/t { audit change_profile -> unconfined, }

Binary inequality audit, deny, and audit deny modifiers for "change_profile -> unconfined"
FAIL: Hash values match
known-good (e01d6f3ba173df734864ab965521e195) == profile-under-test (e01d6f3ba173df734864ab965521e195) for the following profile:
/t { audit allow change_profile -> unconfined, }

.Binary inequality deny and audit deny modifiers for "change_profile -> unconfined"
FAIL: Hash values match
known-good (0f104a93d8f001f0f780702c8ff255b7) == profile-under-test (0f104a93d8f001f0f780702c8ff255b7) for the following profile:
/t { audit deny change_profile -> unconfined, }

..Binary inequality audit, deny, and audit deny modifiers for "change_profile -> /**"
FAIL: Hash values match
known-good (df13fc0410c7ea6bce4c4ef14cfd504d) == profile-under-test (df13fc0410c7ea6bce4c4ef14cfd504d) for the following profile:
/t { audit change_profile -> /**, }

Binary inequality audit, deny, and audit deny modifiers for "change_profile -> /**"
FAIL: Hash values match
known-good (df13fc0410c7ea6bce4c4ef14cfd504d) == profile-under-test (df13fc0410c7ea6bce4c4ef14cfd504d) for the following profile:
/t { audit allow change_profile -> /**, }

.Binary inequality deny and audit deny modifiers for "change_profile -> /**"
FAIL: Hash values match
known-good (0f104a93d8f001f0f780702c8ff255b7) == profile-under-test (0f104a93d8f001f0f780702c8ff255b7) for the following profile:
/t { audit deny change_profile -> /**, }