parser error with 'deny change_profile'
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | apparmor (Ubuntu) |
Medium
|
Unassigned | ||
Bug Description
$ echo 'profile foo { deny change_profile -> unconfined, }' | apparmor_parser -p
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_CHANGE_PROFILE, expecting TOK_ID or TOK_MODE or TOK_SET_VAR
profile foo { deny change_profile[1]
$ echo 'profile foo { deny change_profile -> /**, }' | apparmor_parser -p
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_CHANGE_PROFILE, expecting TOK_ID or TOK_MODE or TOK_SET_VAR
profile foo { deny change_profile[1]
$ echo 'profile foo { deny change_profile -> {unconfined,/**}, }' | apparmor_parser -p
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
AppArmor parser error, in stdin line 1: syntax error, unexpected TOK_CHANGE_PROFILE, expecting TOK_ID or TOK_MODE or TOK_SET_VAR
profile foo { deny change_profile[1]
| Steve Beattie (sbeattie) wrote : | #1 |
| Steve Beattie (sbeattie) wrote : | #2 |
The following is a patch against the parser's policy equality and inequality test script that demonstrates that 'deny change_profile' policy is not being generated correctly:
Index: b/parser/
=======
--- a/parser/
+++ b/parser/
@@ -285,7 +285,8 @@ for rule in "capability" "capability mac
"file /f r" "file /f w" "file /f rwmlk" \
"link /a -> /b" "link subset /a -> /b" \
"l /a -> /b" "l subset /a -> /b" \
- "file l /a -> /b" "l subset /a -> /b"
+ "file l /a -> /b" "l subset /a -> /b" \
+ "change_profile -> unconfined" "change_profile -> /**"
do
verify_
"/t { ${rule}, }" \
| John Johansen (jjohansen) wrote : | #3 |
The deny modifier has been fixed in the 2.11 parser. However, the audit modifier is not properly supported by the backend permission format and will result in equality.sh failing
With the above patch to equality.sh, the failures all involve audit which is being silently dropped in permission encoding:
Binary inequality audit, deny, and audit deny modifiers for "change_profile -> unconfined"
FAIL: Hash values match
known-good (e01d6f3ba173df
/t { audit change_profile -> unconfined, }
Binary inequality audit, deny, and audit deny modifiers for "change_profile -> unconfined"
FAIL: Hash values match
known-good (e01d6f3ba173df
/t { audit allow change_profile -> unconfined, }
.Binary inequality deny and audit deny modifiers for "change_profile -> unconfined"
FAIL: Hash values match
known-good (0f104a93d8f001
/t { audit deny change_profile -> unconfined, }
..Binary inequality audit, deny, and audit deny modifiers for "change_profile -> /**"
FAIL: Hash values match
known-good (df13fc0410c7ea
/t { audit change_profile -> /**, }
Binary inequality audit, deny, and audit deny modifiers for "change_profile -> /**"
FAIL: Hash values match
known-good (df13fc0410c7ea
/t { audit allow change_profile -> /**, }
.Binary inequality deny and audit deny modifiers for "change_profile -> /**"
FAIL: Hash values match
known-good (0f104a93d8f001
/t { audit deny change_profile -> /**, }
AppArmor 2.10 has fixed the parsing issue; however, the policy generated does not actually deny the change_profile.