2017-11-21 21:31:24 |
Felix Eckhofer |
bug |
|
|
added bug |
2017-11-21 22:28:14 |
Jamie Strandboge |
snapd (Ubuntu): status |
New |
Triaged |
|
2017-11-21 22:28:14 |
Jamie Strandboge |
snapd (Ubuntu): assignee |
|
Zygmunt Krynicki (zyga) |
|
2017-11-30 15:45:25 |
Oliver Sauder |
bug |
|
|
added subscriber Oliver Sauder |
2017-11-30 17:24:06 |
Jamie Strandboge |
affects |
snapd (Ubuntu) |
apparmor (Ubuntu) |
|
2017-11-30 17:24:06 |
Jamie Strandboge |
apparmor (Ubuntu): assignee |
Zygmunt Krynicki (zyga) |
Jamie Strandboge (jdstrand) |
|
2017-11-30 17:57:34 |
Jamie Strandboge |
summary |
aa-enforce fails due to syntax error in snapd.snap-confine profile |
apparmor python tools do not understand 'include' rules |
|
2017-11-30 17:57:34 |
Jamie Strandboge |
description |
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
|
2017-11-30 17:57:45 |
Jamie Strandboge |
bug task added |
|
apparmor |
|
2017-11-30 17:57:55 |
Jamie Strandboge |
apparmor (Ubuntu): assignee |
Jamie Strandboge (jdstrand) |
|
|
2017-11-30 17:58:06 |
Jamie Strandboge |
apparmor: status |
New |
Triaged |
|
2017-11-30 17:59:17 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Bionic |
|
2017-11-30 17:59:17 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Bionic) |
|
2017-11-30 17:59:17 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Trusty |
|
2017-11-30 17:59:17 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Trusty) |
|
2017-11-30 17:59:17 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Artful |
|
2017-11-30 17:59:17 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Artful) |
|
2017-11-30 17:59:17 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Xenial |
|
2017-11-30 17:59:17 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Xenial) |
|
2017-11-30 17:59:17 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Zesty |
|
2017-11-30 17:59:17 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Zesty) |
|
2017-11-30 17:59:38 |
Jamie Strandboge |
apparmor (Ubuntu Bionic): status |
Triaged |
New |
|
2017-11-30 18:11:11 |
Tyler Hicks |
bug |
|
|
added subscriber Tyler Hicks |
2017-12-18 19:29:29 |
Jamie Strandboge |
apparmor: assignee |
|
Jamie Strandboge (jdstrand) |
|
2017-12-18 19:29:33 |
Jamie Strandboge |
apparmor: status |
Triaged |
In Progress |
|
2017-12-18 22:09:54 |
Jamie Strandboge |
summary |
apparmor python tools do not understand 'include' rules |
python tools do not understand 'non-magic' include rules |
|
2017-12-18 22:10:02 |
Jamie Strandboge |
apparmor (Ubuntu Trusty): status |
New |
Triaged |
|
2017-12-18 22:10:05 |
Jamie Strandboge |
apparmor (Ubuntu Xenial): status |
New |
Triaged |
|
2017-12-18 22:10:07 |
Jamie Strandboge |
apparmor (Ubuntu Zesty): status |
New |
Triaged |
|
2017-12-18 22:10:09 |
Jamie Strandboge |
apparmor (Ubuntu Artful): status |
New |
Triaged |
|
2017-12-18 22:10:11 |
Jamie Strandboge |
apparmor (Ubuntu Bionic): status |
New |
Triaged |
|
2017-12-18 22:23:54 |
Jamie Strandboge |
description |
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
Reproducer:
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
|
2017-12-18 22:24:21 |
Jamie Strandboge |
description |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
Reproducer:
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700Note that the pr
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
Reproducer:
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700.
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
|
2017-12-20 23:30:10 |
Jamie Strandboge |
description |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
Reproducer:
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700.
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
= test case #1 (aa-enforce) =
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<PRESS 's'>
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700
...
[1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
[1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$
Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/cat rix,
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
|
2018-01-04 19:40:40 |
Jamie Strandboge |
apparmor: status |
In Progress |
Fix Released |
|
2018-01-04 19:41:01 |
Jamie Strandboge |
apparmor (Ubuntu Bionic): status |
Triaged |
In Progress |
|
2018-01-04 19:41:01 |
Jamie Strandboge |
apparmor (Ubuntu Bionic): assignee |
|
Jamie Strandboge (jdstrand) |
|
2018-01-04 22:36:23 |
Jamie Strandboge |
apparmor (Ubuntu Trusty): assignee |
|
Jamie Strandboge (jdstrand) |
|
2018-01-04 22:36:32 |
Jamie Strandboge |
apparmor (Ubuntu Xenial): assignee |
|
Jamie Strandboge (jdstrand) |
|
2018-01-04 22:36:41 |
Jamie Strandboge |
apparmor (Ubuntu Zesty): assignee |
|
Jamie Strandboge (jdstrand) |
|
2018-01-04 22:36:49 |
Jamie Strandboge |
apparmor (Ubuntu Artful): assignee |
|
Jamie Strandboge (jdstrand) |
|
2018-01-04 22:47:09 |
Jamie Strandboge |
description |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
= test case #1 (aa-enforce) =
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<PRESS 's'>
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700
...
[1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
[1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$
Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/cat rix,
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # not required with 2.12
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt pyflakes pyflakes3
$ apt-get source apparmor
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<PRESS 's'>
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700
...
[1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
[1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$
Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/cat rix,
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
|
2018-01-04 22:49:16 |
Jamie Strandboge |
description |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # not required with 2.12
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt pyflakes pyflakes3
$ apt-get source apparmor
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<PRESS 's'>
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700
...
[1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
[1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$
Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/cat rix,
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # not required with 2.12
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt pyflakes pyflakes3
$ apt-get source apparmor
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<PRESS 's'>
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700
...
[1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
[1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$
Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/cat rix,
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
|
2018-01-05 21:36:33 |
Jamie Strandboge |
description |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # not required with 2.12
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt pyflakes pyflakes3
$ apt-get source apparmor
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<PRESS 's'>
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700
...
[1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
[1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$
Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/cat rix,
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt pyflakes pyflakes3 # pyflakes3 on xenial and higher
$ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
This assumes test case #0 has been performed.
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<PRESS 's'>
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700
...
[1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
[1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$
Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/cat rix,
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
|
2018-01-05 21:43:55 |
Jamie Strandboge |
description |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt pyflakes pyflakes3 # pyflakes3 on xenial and higher
$ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
This assumes test case #0 has been performed.
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<PRESS 's'>
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700
...
[1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
[1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$
Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/cat rix,
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.
= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on xenial and higher
$ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check
= test case #1 (aa-enforce) =
This assumes test case #0 has been performed.
$ mkdir /tmp/test1 /tmp/test2
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
#include "/tmp/test1"
include "/tmp/test2"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails
= test case #2 (aa-genprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"
$ chmod 755 /tmp/lp1733700
# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.
# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
}
= test case #3 (aa-logprof) =
This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.
This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists.
Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0
Create mark entry in syslog:
$ logger mark-lp1733700
Try running logprof with no new denials:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$
Adjust /etc/apparmor.d/tmp.lp1733700 to add:
#include "/tmp/test1"
include "/tmp/test2"
Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700
Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$
Try running logprof:
$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown
(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
[1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<PRESS 's'>
Writing updated profile for /tmp/lp1733700.
$
Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'):
$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
= test case #4 (aa-mergeprof) =
$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old
$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test1"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>
/tmp/lp1733700 {
#include <abstractions/base>
#include <abstractions/bash>
#include "/tmp/test2"
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/bin/cat ixr,
}
$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700
...
[1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
[1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?
[1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$
Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>
/tmp/lp1733700 {
#include "/tmp/test1"
#include "/tmp/test2"
#include <abstractions/base>
#include <abstractions/bash>
/bin/cat rix,
/bin/dash ix,
/lib/x86_64-linux-gnu/ld-*.so mr,
/tmp/lp1733700 r,
/usr/bin/uptime mrix,
}
Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.
= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).
Reproducer:
$ mkdir /tmp/test
$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
include "/tmp/test"
}
$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok
$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700
Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.
At least aa-logprof is also affected.
= Original report =
On Ubuntu artful, I'm seeing the following behavior:
$ aa-enforce usr.bin.chromium-browser
ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10. |
|
2018-01-05 23:14:43 |
Jamie Strandboge |
apparmor (Ubuntu Artful): status |
Triaged |
In Progress |
|
2018-01-05 23:14:48 |
Jamie Strandboge |
apparmor (Ubuntu Xenial): status |
Triaged |
In Progress |
|
2018-01-05 23:14:51 |
Jamie Strandboge |
apparmor (Ubuntu Trusty): status |
Triaged |
In Progress |
|
2018-02-15 21:11:18 |
Jamie Strandboge |
apparmor (Ubuntu Zesty): status |
Triaged |
Won't Fix |
|
2018-02-15 21:14:47 |
Jamie Strandboge |
apparmor (Ubuntu Trusty): status |
In Progress |
Won't Fix |
|
2018-02-15 21:14:50 |
Jamie Strandboge |
apparmor (Ubuntu Xenial): status |
In Progress |
Won't Fix |
|
2018-02-15 21:14:53 |
Jamie Strandboge |
apparmor (Ubuntu Artful): status |
In Progress |
Won't Fix |
|
2018-02-15 21:15:02 |
Jamie Strandboge |
apparmor (Ubuntu Bionic): status |
In Progress |
Triaged |
|
2018-02-15 21:15:08 |
Jamie Strandboge |
apparmor (Ubuntu Bionic): assignee |
Jamie Strandboge (jdstrand) |
|
|
2018-03-20 20:29:24 |
Launchpad Janitor |
apparmor (Ubuntu Bionic): status |
Triaged |
Fix Released |
|