Comment 1 for bug 1226356

Revision history for this message
Tyler Hicks (tyhicks) wrote : Re: explicit deny rules do not silence logging denials

It seems like this bug is in apparmor_parser. I loaded a profile with "deny dbus," and then strace'd the bus while running dbus-send:

$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qr
$ aa-exec -p deny-dbus -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames

Strace output:

open("/sys/kernel/security/apparmor/.access", O_RDWR) = 61
write(61, "label\0deny-dbus\0 system\0org.freedesktop.DBus\0unconfined\0/org/freedesktop/DBus\0org.freedesktop.DBus\0Hello", 104) = 104
read(61, "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n", 67) = 67

The deny mask should not be all zeroes. Looking at the dfa-states output of apparmor_parser confirms that it is parser bug:

$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{2} (0x 9fc27f/0/0/0)
{5} (0x 40030/0/0/0)

The deny masks output by apparmor_parser are all zeroes.