AppArmor does not load all valid profiles if broken profile symlink exists
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned | |||
Ubuntu Pro | Status tracked in 18.04 | |||||
18.04 |
Fix Released
|
Medium
|
Pedro Principeza |
Bug Description
[ Impact ]
The apparmor_parser tool in Bionic does not handle return error codes for certain conditions (most notably, handling file access issues), and this leads to inappropriate error handling in any shells executing the tool.
[ Test Plan ]
One simple test case is to have apparmor_parser use a flag that requires a filename input that does not exist. E.g.:
$ ll /etc/apparmor.
ls: cannot access '/etc/apparmor.
If we try to remove a defitintion using the non-existing file:
$ sudo apparmor_parser -R /etc/apparmor.
File /etc/apparmor.
Now, at that same prompt:
$ echo $?
0
This operation should not return zero, as the action clearly failed.
[ Where problems could occur ]
Issues could occurr on scripts that use apparmor_parser and read (for unbeknownst reasos) the zero return code and, once the fix is landed, start seeing the "real" error code in the calling prompt/session.
It is wise to mention that this has already landed in AppArmor versions in Focal on, with no regressions detected ever since.
[Original Description]
Debian bug: https:/
AppArmor does not load all (just some) profiles if `/etc/apparmor.d/`
contains broken symlink to previously existing local profile.
Steps to reproduce:
sudo ln -s /foo/bar/
sudo aa-teardown # or reboot, systemctl restart is not enough
sudo systemctl restart apparmor
sudo aa-status
This is `aa-status` after creating broken symlink:
```
$ sudo aa-status
apparmor module is loaded.
4 profiles are loaded.
2 profiles are in enforce mode.
/usr/
libreoffice-
2 profiles are in complain mode.
mdnsd
smbd
1 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
/usr/
```
And this is how it looks without broken symlink:
```
apparmor module is loaded.
53 profiles are loaded.
37 profiles are in enforce mode.
/usr/
/usr/bin/man
/usr/bin/pidgin
/usr/
/usr/bin/totem
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/sbin/cupsd
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/sbin/sshd
/usr/
apache2
apache2/
apache2/
dhclient
libreoffice-
libreoffice-
libreoffice-
libreoffice-
libreoffice-
man_filter
man_groff
thunderbird
thunderbird/
thunderbird/
thunderbird//gpg
thunderbird/
16 profiles are in complain mode.
/usr/bin/irssi
/usr/
/usr/
avahi-daemon
identd
klogd
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-
syslog-ng
syslogd
traceroute
5 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
5 processes are unconfined but have a profile defined.
/usr/
/usr/
/usr/sbin/cupsd (566)
/usr/
/usr/sbin/sshd (736)
```
Journal does not produce any notice about failure (while restarting):
```
$ sudo journalctl -n0 -f -u apparmor
-- Logs begin at Sat 2019-02-09 17:25:42 EET. --
Feb 09 17:50:59 debian-sid systemd[1]: Stopping Load AppArmor
profiles...
Feb 09 17:50:59 debian-sid systemd[1]: apparmor.service: Succeeded.
Feb 09 17:50:59 debian-sid systemd[1]: Stopped Load AppArmor profiles.
Feb 09 17:50:59 debian-sid systemd[1]: Starting Load AppArmor
profiles...
Feb 09 17:50:59 debian-sid apparmor.
Feb 09 17:50:59 debian-sid apparmor.
profiles
Feb 09 17:50:59 debian-sid systemd[1]: Started Load AppArmor profiles.
```
`apparmor_parser` returns 0:
```
$ sudo /sbin/apparmor_
/etc/apparmor.d && echo $?
Cached reload succeeded for
"/var/cache/
Cached reload succeeded for
"/var/cache/
Cached reload succeeded for
"/var/cache/
Cached reload succeeded for
"/var/cache/
0
```
Changed in ubuntu-pro: | |
assignee: | nobody → Pedro Principeza (pprincipeza) |
importance: | Undecided → Low |
status: | New → Confirmed |
tags: | added: se-sponsor-halves |
description: | updated |
I tried this from the parser and it "works" in the sense that it continues to load profiles and longs an error message. However the parser does not return with an error.
Beyond the parser not returning an error it looks like this bug is in the initscript