AppArmor

alternation with globs sometimes allows directory writes when it shouldn't

Bug #1769971 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

Consider the following profile:

#include <tunables/global>

# HISTFILE=/dev/null aa-exec -p test -- /bin/bash --norc

profile test {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/nameservice>

  /dev/tty rw,

  /{,usr/}bin/ls ixr,
  /{,usr/}bin/mkdir ixr,
  /{,usr/}bin/rm ixr,
  /{,usr/}bin/touch ixr,

  # fine: mkdir /tmp/foo/bar/ denied
  #/tmp/foo/bar/ r,
  #/tmp/foo/bar/* rw,

  # bad: allows mkdir /tmp/foo/bar/
  /tmp/foo/bar/{*,*/} rw,
  #/tmp/foo/bar/{*,froz/} rw,
  #/tmp/foo/bar/{*,*/,froz/} rw,
  #/tmp/foo/bar/{*,*/,froz/{*,*/,baz}} rw, # fails to parse on 12.04
}

With each of the rules under 'bad', the confined process is able to mkdir /tmp/foo/bar successfully. Tested on Ubuntu 12.04 (apparmor 2.7) through 18.04 LTS (apparmor 2.12).

Eg:
$ cd /tmp ; rm -rf /tmp/foo/* ; sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- bash -c 'mkdir /tmp/foo/bar'
$ ls -d /tmp/foo/bar
/tmp/foo/bar

On the face of it, it looks like the confusion is coming in with rules of the form {*,something/}.

See original description
Tags: aa-parser
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
description: updated
summary: - alternation with globs allows directory writes when it shouldn't
+ alternation with globs sometimes allows directory writes when it
+ shouldn't
Revision history for this message
John Johansen (jjohansen) wrote :

this is a compiler issue, with how directory entries with a trailing alternation a compiled.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.