no logging with Cx|cx to non-existent subprofile
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
If I create the following rule:
<path> Cx -> <subprofile>,
apparmor_parser does not complain if '<subprofile>' does not exist and the kernel doesn't log that there was a problem transitioning.
This has happened when profiling in Ubuntu when using the 'sanitized_helper' but forgetting to '#include <abstractions/
$ cat /tmp/foo
#!/bin/sh
echo foo
/tmp/bar
$ cat /tmp/bar
#!/bin/sh
echo bar
head -1 /etc/hosts
$ cat /tmp/test.profile
#include <tunables/global>
/tmp/foo {
#include <abstractions/base>
#include <abstractions/bash>
/tmp/foo r,
/tmp/bar Cxr -> bar,
}
profile bar {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash r,
/tmp/bar r,
/usr/bin/head ixr,
/etc/hosts r,
}
Loading the above profile and executing /tmp/foo results in:
$ /tmp/foo
foo
bar
head: cannot open `/etc/hosts' for reading: Permission denied
This happens because 'foo' can't transition to 'bar' because 'bar' is not a subprofile of 'foo'. There is no kernel message and apparmor_parser also did not catch the profiling error. Depending on how the profiled applications are written, there may or may not be useful debugging information when profiling.
Changed in apparmor (Ubuntu): | |
status: | New → Confirmed |
There is a 64 bit quantal test kernel located at people. canonical. com/~jj/ linux-image- 3.5.0-13- generic_ 3.5.0-13. 14~lp1045074_ amd64.deb
http://