Ubuntu
apparmor package

  1. Bug #1262938
  2. Activity log

Activity log for bug #1262938

Date Who What changed Old value New value Message
2013-12-20 01:41:36 Tyler Hicks bug added bug
2013-12-20 01:45:42 Tyler Hicks description I noticed that mount and dbus rules weren't being optimized correctly when a more permissive rule follows. For example, 'mount fstype=foo, mount' should result in the 'mount fstype=foo,' rule being optimized away. That rule is currently not optimized away and, oddly enough, the last 'o' in foo is truncated. Here's a more clear example with ext2 and ext3 fstypes: $ echo "/t { mount fstype=ext2, mount, }" | apparmor_parser -qQD dfa-states 2>ext2 $ echo "/t { mount fstype=ext3, mount, }" | apparmor_parser -qQD dfa-states 2>ext3 $ md5sum ext2 ext3 e5d4e0b335b1bb530fbff8e0cdfa7337 ext2 e5d4e0b335b1bb530fbff8e0cdfa7337 ext3 $ cat ext2 {1} <== (allow/deny/audit/quiet) {6} (0x 2/0/0/0) {1} -> {2}: 0x7 {2} -> {3}: 0x0 {2} -> {2}: [] {3} -> {4}: 0x0 {3} -> {3}: [] {4} -> {6}: 0x0 {4} -> {7}: 0x65 e {4} -> {5}: [] {5} -> {6}: 0x0 {5} -> {5}: [] {6} (0x 2/0/0/0) -> {6}: [^\0x0] {7} -> {6}: 0x0 {7} -> {8}: 0x78 x {7} -> {5}: [] {8} -> {6}: 0x0 {8} -> {5}: 0x74 t {8} -> {5}: [] Off the top of his head, JJ thinks that it has to do with the DFA minimization in parser/libapparmor_re/hfa.cc. I noticed that mount and dbus rules weren't being optimized correctly when a more permissive rule follows. For example, 'mount fstype=foo, mount' should result in the 'mount fstype=foo,' rule being optimized away. That rule is currently not optimized away and, oddly enough, the last 'o' in foo is truncated. Here's a more clear example with ext2 and ext3 fstypes: $ echo "/t { mount fstype=ext2, mount, }" | apparmor_parser -qQD dfa-states 2>ext2 $ echo "/t { mount fstype=ext3, mount, }" | apparmor_parser -qQD dfa-states 2>ext3 $ md5sum ext2 ext3 e5d4e0b335b1bb530fbff8e0cdfa7337 ext2 e5d4e0b335b1bb530fbff8e0cdfa7337 ext3 $ cat ext2 {1} <== (allow/deny/audit/quiet) {6} (0x 2/0/0/0) {1} -> {2}: 0x7 {2} -> {3}: 0x0 {2} -> {2}: [] {3} -> {4}: 0x0 {3} -> {3}: [] {4} -> {6}: 0x0 {4} -> {7}: 0x65 e {4} -> {5}: [] {5} -> {6}: 0x0 {5} -> {5}: [] {6} (0x 2/0/0/0) -> {6}: [^\0x0] {7} -> {6}: 0x0 {7} -> {8}: 0x78 x {7} -> {5}: [] {8} -> {6}: 0x0 {8} -> {5}: 0x74 t {8} -> {5}: [] While the md5sum of the ext2 and ext3 files should be equal, they should not contain any remnants of the fstype=ext2 or fstype=ext3 conditional. Off the top of his head, JJ thinks that it has to do with the DFA minimization in parser/libapparmor_re/hfa.cc.
2014-01-11 00:14:06 Steve Beattie apparmor: status Triaged Fix Committed
2014-01-13 19:21:24 Tyler Hicks bug task added apparmor (Ubuntu)
2014-01-13 19:21:35 Tyler Hicks apparmor (Ubuntu): status New In Progress
2014-01-13 19:21:44 Tyler Hicks apparmor (Ubuntu): importance Undecided Medium
2014-01-13 19:21:46 Tyler Hicks apparmor (Ubuntu): assignee Tyler Hicks (tyhicks)
2014-01-13 19:21:55 Tyler Hicks apparmor: assignee Tyler Hicks (tyhicks) John Johansen (jjohansen)
2014-01-17 14:31:14 Launchpad Janitor branch linked lp:ubuntu/trusty-proposed/apparmor
2014-01-17 15:24:19 Launchpad Janitor apparmor (Ubuntu): status In Progress Fix Released
2014-10-19 17:31:32 Christian Boltz apparmor: status Fix Committed Fix Released