AppArmor

sysfs PCI domain in profiles should have hex pattern.

Bug #1734569 reported by Mikhail Kurinnoi on 2017-11-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

I found, that some profiles may have an issues with PCI domain number.

From kernel /Documentation/filesystems/sysfs-pci.txt
...
/sys/devices/pci0000:17
|-- 0000:17:00.0
...
The topmost element describes the PCI domain and bus number. In this case,
the domain number is 0000 and the bus number is 17 (both values are in hex).
...

In the same time we have a lot of profiles (usr.bin.totem, usr.bin.thunderbird, usr.bin.pulseaudio, ...) with
/sys/devices/pci[0-9]*
instead of
/sys/devices/pci[0-9a-f]*

Isn't this mean, that we limit PCI domain first symbol to decimal number, but not hex number, as it should be accordinately to kernel documentation?

Tags:

Revision history for this message

intrigeri (intrigeri) wrote on 2017-12-07:

Wow, interesting! I find it slightly surprising that I can't recall any real world bug caused by this potential issue, but your reasoning makes sense to me. I guess hardware with enough PCI stuff may be uncommon, or non-existing at all.

Also affected on my system: abstractions/gstreamer, usr.bin.ricochet

Most of these profiles live in https://gitlab.com/apparmor/apparmor-profiles and https://gitlab.com/apparmor/apparmor. You're warmly welcome to submit merge requests there :)

tags:

added: aa-policy

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.