Re: [apparmor] Pesky '=' in subj= of audit in mainline

[John Johansen]

Okay I have checked through the code, and we are lucky in that currently this 
only being used to valid that conversions of secids into secctx's are only 
being done from the with the correct view.

The smallest patch is a simple character substitution and is below. Other 
options are completely deleting the portions of the code dependent on the 
ABS_ROOT flag or even better wrapping it in a debug conditional. For pushing 
something up for -rc6 I would like to keep the change as minimal as possible


commit 239993ebc9ab94a6ec53bc8323adf92c1cd6b08d
Author: John Johansen <john.johan...@canonical.com>
Date:   Tue Dec 14 02:59:28 2021 -0800

    apparmor: fix absroot causing audited secids to begin with =
    
    AppArmor is prefixing secids that are converted to secctx with the =
    to indicate the secctx should only be parsed from an absolute root
    POV. This allows catching errors where secctx are reparsed back into
    internal labels.
    
    Unfortunately because audit is using secid to secctx conversion this
    means that subject and object labels can result in a very unfortunate
    == that can break audit parsing.
    
    eg. the subj==unconfined term in the below audit message
    
    type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
    ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
    hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'
    
    Fix this by switch the prepending of = to a _. This still works as a
    special character to flag this case without breaking audit.
    
    Fixes: 26b7899510ae ("apparmor: add support for absolute root view based 
labels")
    Signed-off-by: John Johansen <john.johan...@canonical.com>

diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index 0b0265da1926..592c7bf25624 100644
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1633,7 +1633,7 @@ int aa_label_snxprint(char *str, size_t size, struct 
aa_ns *ns,
 
        if (flags & FLAG_ABS_ROOT) {
                ns = root_ns;
-               len = snprintf(str, size, "=");
+               len = snprintf(str, size, "_");
                update_for_len(total, len, size, str);
        } else if (!ns) {
                ns = labels_ns(label);
@@ -1895,7 +1895,7 @@ struct aa_label *aa_label_strn_parse(struct aa_label 
*base, const char *str,
        AA_BUG(!str);
 
        str = skipn_spaces(str, n);
-       if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label))
+       if (str == NULL || (*str == '_' && base != &root_ns->unconfined->label))
                return ERR_PTR(-EINVAL);
 
        len = label_count_strn_entries(str, end - str);

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor