17 Apr
2009
17 Apr
'09
21:39
http://bugzilla.novell.com/show_bug.cgi?id=496204
Summary: genprof puts child profiles in enforce mode
Classification: openSUSE
Product: openSUSE 11.1
Version: Final
Platform: Other
OS/Version: openSUSE 11.1
Status: NEW
Severity: Normal
Priority: P5 - None
Component: AppArmor
AssignedTo: jeffm(a)novell.com
ReportedBy: suse-beta(a)cboltz.de
QAContact: qa(a)suse.de
Found By: Beta-Customer
genprof puts child profiles in enforce mode, even if genprof is still running
and watching the profiled application for events not yet covered by the
profile.
A how-to-reproduce will probably explain this best.
1. run aa-genprof ~cb/bin/eg
2. work with eg to cause some log events
3. switch over to genprof, "Scan system log..." to create an initial profile.
3a. choose to run /usr/lib/git/git-update-ref in a child profile
3b. allow all other events (chosen permissions not relevant for this bug)
3c. let genprof write the profile
3d. Keep genprof running.
4. continue to use eg
5. wonder why git-update-ref reports a "permission denied" error...
The reason for the problem is that the child profile is put into enforce mode.
This is how the profile looks _with genprof still running_:
# cat /etc/apparmor.d/home.cb.bin.eg
# Last Modified: Fri Apr 17 22:47:50 2009
#include <tunables/global>
/home/cb/bin/eg flags=(complain) { # complain mode - as expected
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
# [... several permissions ...]
/usr/lib/git/git-update-ref mrcx,
profile /usr/lib/git/git-update-ref { # enforce mode!
#include <abstractions/base>
owner /home/*/.gitconfig r,
/usr/lib/git/git-update-ref mr,
}
}
As you can clearly see, only the main profile is in complain mode.
The subprofile for git-update-ref is enforced - which is not the expected
behaviour as long as genprof is running for the main profile.
IMHO the complete profile, including all subprofiles, hats, whatever should be
in complain mode as long as genprof is running.
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
11 Jan
11 Jan
22:49
New subject: [Bug 496204] genprof puts child profiles in enforce mode
https://bugzilla.novell.com/show_bug.cgi?id=496204
https://bugzilla.novell.com/show_bug.cgi?id=496204#c1
--- Comment #1 from Christian Boltz <suse-beta(a)cboltz.de> 2011-01-11 23:49:19 CET
---
FYI: This still happens on Factory with the AppArmor 2.5.1 package from
security:apparmor:factory installed.
Here's a reproducer that is much shorter (and easier to run) than in the
initial comment:
1. save the following tho lines as "mycat" and chmod +x the file
#!/bin/bash
cat "$1"
2. run aa-genprof mycat
3. run mycat some_file
4. switch to genprof, choose "child" for executing cat, allow everything else
5. save the profile in genprof, but let it running (do not choose "(F)inish")
5. run mycat other_file
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
24 Jan
24 Jan
14:47
New subject: [Bug 496204] genprof puts child profiles in enforce mode
https://bugzilla.novell.com/show_bug.cgi?id=496204
https://bugzilla.novell.com/show_bug.cgi?id=496204#c2
Jeff Mahoney <jeffm(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Component|AppArmor |AppArmor
Version|Final |Factory
Product|openSUSE 11.1 |openSUSE 11.4
Target Milestone|--- |Milestone 6 of 6
OS/Version|openSUSE 11.1 |SuSE Other
--- Comment #2 from Jeff Mahoney <jeffm(a)novell.com> 2011-01-24 14:47:32 UTC ---
Ok, thanks. I can reproduce this.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
19:17
New subject: [Bug 496204] genprof puts child profiles in enforce mode
https://bugzilla.novell.com/show_bug.cgi?id=496204
https://bugzilla.novell.com/show_bug.cgi?id=496204#c3
--- Comment #3 from Jeff Mahoney <jeffm(a)novell.com> 2011-01-24 19:17:25 UTC ---
Created an attachment (id=409891)
--> (http://bugzilla.novell.com/attachment.cgi?id=409891)
apparmor-utils: Inherit flags in sub-profiles when generating profiles
When creating profiles with cx subprofiles, genprof will set the
sub-profile in enforce mode. When genprof cycles multiple times, it
prohibits the sub-profile from working correctly.
e.g.
# Last Modified: Mon Jan 24 13:52:26 2011
#include <tunables/global>
/home/jeffm/mycat flags=(complain) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
/bin/bash ix,
/bin/cat cx,
/home/jeffm/mycat r,
profile /bin/cat {
#include <abstractions/base>
/bin/cat r,
/home/jeffm/mycat r,
}
}
This patch allows sub-profiles to inherit the flags from the parent
profile, which allows it to be created in complain mode (if appropriate).
The temporary complain flags are cleaned up at genprof completion as
expected.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
19:49
New subject: [Bug 496204] genprof puts child profiles in enforce mode
https://bugzilla.novell.com/show_bug.cgi?id=496204
https://bugzilla.novell.com/show_bug.cgi?id=496204#c4
--- Comment #4 from Jeff Mahoney <jeffm(a)novell.com> 2011-01-24 19:49:56 UTC ---
This is tracked upstream at https://bugs.launchpad.net/apparmor/+bug/707092.
Committed to security:apparmor:factory.
SR 59064
Closing as FIXED.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
15 Apr
15 Apr
09:35
New subject: [Bug 496204] genprof puts child profiles in enforce mode
http://bugzilla.novell.com/show_bug.cgi?id=496204
http://bugzilla.novell.com/show_bug.cgi?id=496204#c6
--- Comment #6 from Bernhard Wiedemann <bwiedemann(a)suse.com> ---
This is an autogenerated message for OBS integration:
This bug (496204) was mentioned in
https://build.opensuse.org/request/show/59064 Factory / apparmor
--
You are receiving this mail because:
You are on the CC list for the bug.
1981
days inactive
4536
days old
5 comments
1 participants
participants (1)
-
bugzilla_noreply@novell.com