parser doesn't catch conflicting change_profile exec modes (safe/unsafe)

Bug #1588069 reported by Tyler Hicks
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
High
John Johansen
apparmor (Ubuntu)
Fix Released
High
Tyler Hicks
Xenial
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

Applications which use libapparmor's aa_change_onexec() to set up an AppArmor profile transition across an upcoming exec() could not pre-initialize the environment up until the upstream fix for bug #1584069 was in place. That upstream fix had a flaw in that conflicting safe/unsafe change_profile transitions were allowed by apparmor_parser. apparmor_parser should detect conflicting rules and fail to compile the profile.

[Test Case]

The upstream fix for this bug includes exhaustive tests for conflicting safe/unsafe change_profile transitions. These tests run at build time.

If a manual test is desired, see the original report below for steps.

[Regression Potential]

Regression potential for this change is small since it is actually a bug fix for the changes introduced in bug #1584069. The regression potential for the changes for bug #1584069 are considerable and listed in that bug report.

[Original Report]

The ability to specify change_profile exec modes (safe/unsafe) is a recently merged feature. A missing piece is that the parser doesn't detect conflicting exec modes on the same exec condition. The following profile should fail to compile:

/t {
  change_profile safe /foo -> /bar,
  change_profile unsafe /foo -> /bar,
}

Revision history for this message
Tyler Hicks (tyhicks) wrote :
Changed in apparmor:
status: New → In Progress
Revision history for this message
Tyler Hicks (tyhicks) wrote :

committed upstream as r3478

Changed in apparmor:
status: In Progress → Fix Committed
Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → High
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.10.95-4ubuntu2

---------------
apparmor (2.10.95-4ubuntu2) yakkety; urgency=medium

  * Drop the following change now that click-apparmor has been updated:
    - Continue installing aa-exec into /usr/sbin/ for now since
      click-apparmor's aa-exec-click autopkgtest expects it to be there
  * debian/patches/allow-stacking-tests-to-use-system.patch,
    debian/patches/r3430-allow-stacking-tests-to-use-system.patch: Replace
    patch with the final version that landed upstream and annotate the patch
    headers accordingly
  * debian/patches/r3460-ignore-file-events-with-send-or-receive-request.patch:
    Prevent an aa-logprof crash by ignoring file events that contains
    send or receive in the request mask. (LP: #1577051, LP: #1582374)
  * debian/patches/r3463-r3475-change-profile-exec-modes.patch: Allow policy
    authors to specify if the environment should scrubbed during exec
    transitions allowed by a change_profile rule. (LP: #1584069)
  * debian/patches/r3478-make-overlapping-safe-and-unsafe-rules-conflict.patch:
    Make sure that multiple change_profile rules with overlapping safe and
    unsafe exec modes conflict when they share the same exec conditional
    (LP: #1588069)
  * debian/patches/r3479-create-fcitx-abstractions.patch: Include fcitx and
    fcitx-strict abstractions that fcitx client profiles can reuse.
  * debian/control: Do a conffile move of /etc/apparmor.d/abstractions/fcitx
    from the fcitx-data to apparmor by setting up the correct Breaks and
    Replaces.
  * debian/patches/r3480-create-mozc-abstraction.patch: Include a mozc
    abstraction that mozc client profiles can reuse.
  * debian/patches/r3488-r3489-fix-racy-onexec-test.patch: Fix racy regression
    test so that the kernel SRU process is not interrupted by the onexec.sh
    periodically failing
  * debian/patches/r3490-utils-handle-change-profile-exec-modes.patch: Update
    the Python utilities to handle the new exec mode keywords in
    change_profile rules. (LP: #1584069)
  * debian/patches/r3492-allow-dbus-user-session-path.patch: Allow read/write
    access to the dbus-user-session socket file. (LP: #1604872)

 -- Tyler Hicks <email address hidden> Tue, 26 Jul 2016 23:03:05 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Martin Pitt (pitti)
Changed in apparmor (Ubuntu Xenial):
status: New → Fix Committed
Tyler Hicks (tyhicks)
description: updated
Revision history for this message
Tyler Hicks (tyhicks) wrote :

The build tests succeed and I've verified that the manual test in the original description fails to compile.

description: updated
tags: added: aa-parser verification-done
Revision history for this message
Christian Boltz (cboltz) wrote :

Fixed in AppArmor 2.11

Changed in apparmor:
status: Fix Committed → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

This was fixed in Ubuntu 16.04 LTS in apparmor 2.10.95-0ubuntu2.2 (including the changes in 2.10.95-0ubuntu2.1, which was superceded in xenial-proposed by 2.10.95-0ubuntu2.2). Marking that task closed.

Changed in apparmor (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.