AppArmor

"profile transition not found" with unattached profiles

Bug #1696551 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

I'm not sure of the cause of this bug, but on Ubuntu 17.04 with the following:

$ cat /tmp/bug/profile
#include <tunables/global>

profile child {
  #include <abstractions/base>

  /tmp/bug/* r,
  /tmp/bug/child ixr,
}

profile "parent.dot.profile" {
  #include <abstractions/base>
  #include <abstractions/bash>

  /tmp/bug/* r,

  /tmp/bug/child px -> @{profile_name}//&child,
}

profile "parent-no-dots" {
  #include <abstractions/base>
  #include <abstractions/bash>

  /tmp/bug/* r,

  /tmp/bug/child px -> @{profile_name}//&child,
}

and the following scripts:

$ cat /tmp/bug/parent
#!/bin/sh
set -e

echo "Executing ./child"
./child

$ cat /tmp/bug/child
#!/bin/sh
set -e

echo "I'm a child!"

I am unable to use discrete px rules to transition to parent-no-dots//&child. Eg:

$ sudo apparmor_parser -r ./profile && aa-exec -p parent-no-dots -- ./parent
Executing ./child
./parent: 5: ./parent: ./child: Permission denied

kernel: audit: type=1400 audit(1496865113.672:133787): apparmor="DENIED" operation="exec" info="profile transition not found" error=-13 profile="parent-no-dots" name="/tmp/bug/child" pid=20009 comm="parent" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

$ sudo apparmor_parser -r ./profile && aa-exec -p parent.dot.profile -- ./parent
Executing ./child
./parent: 5: ./parent: ./child: Permission denied

kernel: audit: type=1400 audit(1496865142.337:133791): apparmor="DENIED" operation="exec" info="profile transition not found" error=-13 profile="parent.dot.profile" name="/tmp/bug/child" pid=20023 comm="parent" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

$ cat /proc/version_signature
Ubuntu 4.10.0-22.24-generic 4.10.15

Revision history for this message
Vincas Dargis (talkless) wrote :

I have similar problem with skypeforlinux profile I am developing.

I have added:

#include <abstractions/ubuntu-browsers>

But in result, I get DENIEND with "profile transition not found":

type=AVC msg=audit(1498909949.154:568): apparmor="DENIED" operation="exec" info="profile transition not found" error=-13 profile="/usr/bin/skypeforlinux" name="/usr/lib/firefox/firefox.sh" pid=4874 comm="gvfs-open" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
type=SYSCALL msg=audit(1498909949.154:568): arch=c000003e syscall=59 success=no exit=-13 a0=560a2302a9ba a1=560a2302b080 a2=560a230742e0 a3=7f0a4a5beb58 items=0 ppid=1428 pid=4874 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="gvfs-open" exe="/usr/bin/gvfs-open" key=(null)
type=PROCTITLE msg=audit(1498909949.154:568): proctitle=677666732D6F70656E0068747470733A2F2F676F2E736B7970652E636F6D2F707269766163793F696E747372633D636C69656E742D5F2D6C696E75782D5F2D31343237253246352E332E302E312532462D5F2D6D656E752E70726976616379267365746C616E673D656E

Revision history for this message
Vincas Dargis (talkless) wrote :

I solved my problem using:

/{,usr/}bin/xdg-open Cx -> sanitized_helper,

My case is irrelevant to this bug report.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.