profile name matching behaves unexpectedly

Bug #419308 reported by Jamie Strandboge on 2009-08-26
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
John Johansen

Bug Description

Karmic will be shipping an apparmor profile for firefox (bug #382917). This is a spec for the security team. Due to packaging constraints and maintenance, it must use matching for the profile name. Eg, with a profile name specified like this:
/usr/lib/firefox-3.5.*/firefox {
...

/usr/lib/firefox-3.5.2/firefox attaches and works (good).

However, this causes problems:
a) profile is attached from unconfined, but not from confined processes. This reduces the security of the already shipping AppArmor profile for evince, which allows transitions to firefox
b) it improperly matches the *files* /usr/lib/firefox-3.5.foo, /usr/lib/firefox-3.5.bar
c) '/usr/lib/** ux' is too greedy-- ie will match /usr/l if nothing else is available
d) '/usr/bin/** px' won't attach if the profiled is confined

These issues are a surprising side-effect of using matching in the profile name, and will cause bugs and problems when people modify the firefox profile or develop their own profiles using profile name matching.

Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → Medium
status: New → In Progress
description: updated
description: updated
Jamie Strandboge (jdstrand) wrote :

I haven't tested all of the various situations where this can occur, but the -9 kernel John made available today on chinstrap does not regress this behavior (ie firefox profile works properly).

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.31-10.30

---------------
linux (2.6.31-10.30) karmic; urgency=low

  [ Amit Kucheria ]

  * [Config] Enable CONFIG_USB_DEVICEFS
    - LP: #417748
  * [Config] Populate the config-update template a bit more

  [ Andy Whitcroft ]

  * rebase to v2.6.31-rc9
  * [Config] update configs following rebase to v2.6.31-rc9
  * [Config] update ports configs following rebase to v2.6.31-rc9

  [ Colin Ian King ]

  * SAUCE: wireless: hostap, fix oops due to early probing interrupt
    - LP: #254837

  [ Jerone Young ]

  * [Upstream] ACPI: Add Thinkpad T400 & Thinkpad T500 to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad X200, X200s, X200t to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad X300 & Thinkpad X301 to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad R400 & Thinkpad R500 to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad W500, W700, & W700ds to OSI(Linux)
    white-list
    - LP: #281732

  [ John Johansen ]

  * SAUCE: AppArmor: Fix profile attachment for regexp based profile names
    - LP: #419308
  * SAUCE: AppArmor: Return the correct error codes on profile
    addition/removal
    - LP: #408473
  * SAUCE: AppArmor: Fix OOPS in profile listing, and display full list
    - LP: #408454
  * SAUCE: AppArmor: Fix mapping of pux to new internal permission format
    - LP: #419222
  * SAUCE: AppArmor: Fix change_profile failure
    - LP: #401931
  * SAUCE: AppArmor: Tell git to ignore generated include files
    - LP: #419505

  [ Stefan Bader ]

  * [Upstream] acpi: video: Loosen strictness of video bus detection code
    - LP: #333386
  * SAUCE: Remove ov511 driver from ubuntu subdirectory

  [ Tim Gardner ]

  * [Config] Exclude char-modules from non-x86 udeb creation
  * SAUCE: Notify the ACPI call chain of AC events
  * [Config] CONFIG_SATA_VIA=m
    - LP: #403385
  * [Config] Build in all phylib support modules.
  * [Config] Don't fail when sub-flavour files are missing
    - LP: #423426
  * [Config] Set CONFIG_LSM_MMAP_MIN_ADDR=0
    - LP: #423513

  [ Upstream ]

  * Rebased against v2.6.31-rc9

 -- Andy Whitcroft <email address hidden> Mon, 07 Sep 2009 11:33:45 +0100

Changed in linux (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers