Ubuntu
apparmor package

aa-logprof: doesn't remove redundant rules

Bug #387663 reported by Tom Metro
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: apparmor

Ubuntu 8.04.2
Package: apparmor-utils
Version: 2.1+1075-0ubuntu9.2

My understanding of the aa-logprof documentation is that it is supposed to remove specific rules that are obviated by broader rules, but examining the diff after a profile update seems to show otherwise:

# rcsdiff usr.sbin.smbd .RCS/usr.sbin.smbd,v
[...]
19a19,21
> /data/ r,
> /data/** krw,
[...]
30a34,36
> /var/log/samba/clients/* a,
> /var/log/samba/cores/smbd/ rw,
> /var/log/samba/cores/smbd/** rw,
34,36c40,44
[...]
> /video/ r,
> /video/** krw,
> /video2/**/ r,
> /video2/mythtv/1024_20090131200000.mpg r,
> /video2/mythtv/1029_20090310173000.mpg r,

Many of those rules appear redundant, and I'm sure at least a few are, such as the last 3 lines.

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the bug report! As it turns out, /dir/ and /dir have different meanings, so those rules do not seem to be redundant. Please feel free to report any other issues you find.

Changed in apparmor (Ubuntu):
status: New → Invalid
Revision history for this message
Tom Metro (tmetro+ubuntu) wrote :

> /dir/ and /dir have different meanings...

Thanks. I figured that might be the case. Same true for /dir/ vs. /dir/** I presume.

But what about:

/video2/**/ r,
/video2/mythtv/1024_20090131200000.mpg r,
/video2/mythtv/1029_20090310173000.mpg r,

These seem redundant, unless that first rule should be /video2/** without the trailing slash.

Revision history for this message
Steve Beattie (sbeattie) wrote : Re: [Bug 387663] Re: aa-logprof: doesn't remove redundant rules

On Tue, Jun 16, 2009 at 07:06:36PM -0000, Tom Metro wrote:
> Thanks. I figured that might be the case. Same true for /dir/ vs.
> /dir/** I presume.

Yes, the latter matches everything underneath /dir/ but not /dir/
itself.

> But what about:
>
> /video2/**/ r,
> /video2/mythtv/1024_20090131200000.mpg r,
> /video2/mythtv/1029_20090310173000.mpg r,
>
> These seem redundant, unless that first rule should be /video2/**
> without the trailing slash.

Indeed it should be /video2/** as /video2/**/ is telling it to match any
directory under /video2/. /video2/** will allow access to any files or
directories under /video2/.

You can also restrict access to just files under /video2/ with the pattern
'/video2/**[^/]', but things that need to query what directory entries
exist in each directory will need read access to the directories. An
alternative pattern where you know /video2 will be populated by only
*.mpg files and subdirectories would be '/video2/**{.mpg,/} r,'. But
that's a matter of how tight you wish the restrictions to be.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.