exec transitions to profiles with '.' in name don't work

Bug #1609885 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned
linux (Ubuntu)
Incomplete
Undecided
Unassigned
Xenial
Fix Committed
Undecided
Unassigned
Yakkety
Won't Fix
Undecided
Unassigned

Bug Description

If a child profile has '.' in the name, then the parser fails to compile the policy:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found unexpected character: '.'

If put a child profile with '.' in the name in a variable, the parser compiles the policy but the exec transition fails:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
/tmp/with.dots: 3: /tmp/with.dots: cat: Permission denied

denial is:
apparmor="DENIED" operation="exec" info="profile transition not found" error=-13 profile="test" name="/bin/cat" pid=18219 comm="with.dots" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

$ cat /tmp/test.sh
#!/bin/sh
cat /proc/version

$ cat /tmp/profile
#include <tunables/global>

@{TARGET_PROFILE}="with.dots"

profile test {
  #include <abstractions/base>
  #include <abstractions/bash>

  /tmp/test.sh r,

  # parser error:
  # AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found
  # unexpected character: '.'
  /{,usr/}bin/cat cx -> with.dots,

  # fail to transition:
  # apparmor="DENIED" operation="exec" info="profile transition not found"
  # error=-13 profile="test" name="/bin/cat" pid=18105 comm="with.dots"
  # requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
  #/{,usr/}bin/cat cx -> @{TARGET_PROFILE},

  # ok
  #/{,usr/}bin/cat cx -> no_dots,

  profile with.dots {
    #include <abstractions/base>
    @{PROC}/version r,
    /{,usr/}bin/cat r,
  }

  profile no_dots {
    #include <abstractions/base>
    @{PROC}/version r,
    /{,usr/}bin/cat r,
  }
}

Tags: aa-parser
description: updated
description: updated
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Note, this came about from trying to do policy like this:

profile snap.foo.bar {
  @{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/baz cx -> baz,

  profile baz {
    @{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/bar cx -> snap.foo.bar,
  }
}

Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1609885

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Christian Boltz (cboltz)
tags: added: aa-parser
Revision history for this message
Andy Whitcroft (apw) wrote : Closing unsupported series nomination.

This bug was nominated against a series that is no longer supported, ie yakkety. The bug task representing the yakkety nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu Yakkety):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.