Ubuntu
apparmor package

initscript does not handle unloading of child profiles correctly

Bug #674268 reported by Jamie Strandboge
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Kees Cook

Bug Description

Binary package hint: apparmor

On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:

$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)

$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$

So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
 * Unloading AppArmor profiles [fail]
                               [ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
...

Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
 * Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
        cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}

Kees mentioned this is being fixed upstream with changing running_profile_names() and configured_profile_names() to be:
running_profile_names() {
        cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | LC_COLLATE=C sort | grep -v '//'
}

configured_profile_names() {
        foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '\^'
}

This also affects Ubuntu 10.04 LTS for profiles when using the stop command. Eg:

$ sudo apparmor_parser -a /etc/apparmor.d/bug674268.profile
$ sudo /etc/init.d/apparmor stop
 * Unloading AppArmor profiles [fail]
                               [ OK ]

Attached is a simple profile to trigger this.

See original description
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: New → Triaged
description: updated
description: updated
description: updated
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
description: updated
description: updated
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Simple profile to trigger the bug.

description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Fixed in 2.6~devel+bzr1527-0ubuntu1.

Changed in apparmor (Ubuntu):
assignee: nobody → Kees Cook (kees)
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.