AppArmor

Exec to sub-profile doesnt work right when parent profile name has a variable in it

Bug #1617166 reported by Sverd Johnsen
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

2.10.95.bzr.3440-1

given a profile similar to this

#include <globals/global>

@{some_path}=opt

profile "/@{some_path}/foobar" {
#include <base/extra>
  /usr/bin/{bash,sh} rCx -> bash_ext,

  profile bash_ext {
    /usr/bin/true mixr,
  }
}

after transitioning to profile you cannot run bash/sh:

audit: type=1400 audit(1472189988.235:642): apparmor="DENIED" operation="exec" info="profile not found" error=-2 profile="/opt/foobar" name="/usr/bin/bash" pid=25748 comm="dash" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

transition-user --drop=false --lock=false --nnp=false --systemd=false --apparmor=/opt/foobar /usr/bin/dash
# /usr/bin/sleep
/usr/bin/dash: 1: /usr/bin/sleep: Permission denied
# /usr/bin/dash
/usr/bin/dash: 2: /usr/bin/dash: Permission denied
# /usr/bin/bash
/usr/bin/dash: 3: /usr/bin/bash: not found
# /usr/bin/sh
/usr/bin/dash: 4: /usr/bin/sh: not found
# /usr/bin/zsh
/usr/bin/dash: 5: /usr/bin/zsh: Permission denied

so you get ENOENT for the bash binary until you remove the variable and reload.

Tags: aa-parser
Christian Boltz (cboltz)
tags: added: aa-parser
Revision history for this message
dgyjr92 (dgy-jr92) wrote :

Yep, I could reproduce this on Ubuntu 18.04 LTS as well with apparmor 2.12-4ubuntu5, so this is still an annoying bug...Apparently removing the variables from the parent profile fixes the problem.

Revision history for this message
dgyjr92 (dgy-jr92) wrote :

Although in my case, the logs say "profile transition not found" instead.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.