Bug#679597: apparmor: AppArmor totally broken
On 07/01/2012 03:02 PM, intrigeri wrote: tags 679597 + patch thanks Hi, John Johansen wrote (30 Jun 2012 07:30:20 GMT) : Fix the parser so it checks for the presence of the network feature in the compatibility interface. Previously it was assuming that if the compatibility interface was present that network rules where also present, this is not necessarily true and causes apparmor to break when only the compatibility patch is applied. Thanks for this patch. It works fine for me with the current sid kernel (linux-image-3.2.0-3-amd64 3.2.21-3). However, on a kernel that both the compat + network patches applied (that is, not the current sid kernel), installing the apparmor userspace tools with this patch applied results in reloading all profiles (I guess this is normal postinst operation), which triggers tons of such error messages: Warning from /etc/apparmor.d/usr.bin.evince (/etc/apparmor.d/usr.bin.evince line 148): profile sanitized_helper network rules not enforced And then, it seems like the applications covered by these profile are denied access to the network entirely: type=1400 audit(1341176452.889:291): apparmor=DENIED operation=create parent=1 profile=/usr/sbin/ntpd pid=6748 comm=ntpd family=inet sock_type=dgram protocol=0 (I've not tried rebooting and see what happens, though.) So I'm not too sure the network feature detection was fixed entirely. But well, in any case, the patch fixes the actual, current bug, which is great! Gah, yes I didn't test this patch in the case of a kernel without the networking patch followed by a kernel with it. What is happening is it is applying the check against both the kernel and cached policy feature set, and turning off networking based on what is stored in the cached policy. Which in turn causes it to generate the new cache without networking support. The only way to fix this with the original patch is to remove the cache and then regenerate it. Sorry about that The check just needs to be moved a little. The initial patch should be reversed and the following patch should be applied. With the caveat that I haven't had a chance to finish testing it yet. Though I should have that done in a few hours. === modified file 'parser/parser_main.c' --- parser/parser_main.c2012-07-01 08:35:05 + +++ parser/parser_main.c2012-07-02 07:49:14 + @@ -1187,7 +1182,12 @@ write_cache = 0; skip_read_cache = 1; return; - } + } else if (strstr(flags_string, network)) + kernel_supports_network = 1; + else + kernel_supports_network = 0; + + /* * Deal with cache directory versioning: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679597: apparmor: AppArmor totally broken
John Johansen wrote (02 Jul 2012 07:56:34 GMT) : The check just needs to be moved a little. The initial patch should be reversed and the following patch should be applied. With the caveat that I haven't had a chance to finish testing it yet. Though I should have that done in a few hours. I've tested the new (second) patch on both these two kernels (current sid kernel and a bit older one with the network control patch applied), and did not experience any weird behaviour this time. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679597: apparmor: AppArmor totally broken
tags 679597 + patch thanks Hi, John Johansen wrote (30 Jun 2012 07:30:20 GMT) : Fix the parser so it checks for the presence of the network feature in the compatibility interface. Previously it was assuming that if the compatibility interface was present that network rules where also present, this is not necessarily true and causes apparmor to break when only the compatibility patch is applied. Thanks for this patch. It works fine for me with the current sid kernel (linux-image-3.2.0-3-amd64 3.2.21-3). However, on a kernel that both the compat + network patches applied (that is, not the current sid kernel), installing the apparmor userspace tools with this patch applied results in reloading all profiles (I guess this is normal postinst operation), which triggers tons of such error messages: Warning from /etc/apparmor.d/usr.bin.evince (/etc/apparmor.d/usr.bin.evince line 148): profile sanitized_helper network rules not enforced And then, it seems like the applications covered by these profile are denied access to the network entirely: type=1400 audit(1341176452.889:291): apparmor=DENIED operation=create parent=1 profile=/usr/sbin/ntpd pid=6748 comm=ntpd family=inet sock_type=dgram protocol=0 (I've not tried rebooting and see what happens, though.) So I'm not too sure the network feature detection was fixed entirely. But well, in any case, the patch fixes the actual, current bug, which is great! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679597: apparmor: AppArmor totally broken
On 06/29/2012 07:54 PM, intrig...@debian.org wrote: Package: apparmor Version: 2.7.103-3 Severity: grave X-Debbugs-CC: john.johan...@canonical.com, k...@debian.org, mi...@riseup.net Hi, (following-up on #676515) John Johansen wrote (26 Jun 2012 17:48:38 GMT) : Okay, there are 4 kernel patches, not all of them are needed depending on whether the network patch is applied or not. If you don't want to apply the networking patch 0001-apparmor-remove-advertising-the-support-of-network-r.patch Stops the kernel interface from incorrectly advertising that it supports network rules. A further patch (not attached) to userspace will also have to be applied Thanks, John, for your work on this. For those who did not follow the entire saga, this patch was applied in the linux 3.2.21-3 source package, to complement the incomplete AppArmor compatibility patch, so Debian bug #676515 was closed, as the kernel side is now sorted out. So far, so good. However, as expected, this is not enough to make AppArmor usable, so the current state in current sid is still a regression compared to when the compatibility patch was not applied to the kernel: it used to be bad, but relatively usable, and it's now totally unusable. This bug is here to track the additional patch against userspace, that John mentioned was needed, which is confirmed by my experience. Sorry I meant to have attached this patch already as a separate comment when I posted the kernel patches. --- Fix the parser so it checks for the presence of the network feature in the compatibility interface. Previously it was assuming that if the compatibility interface was present that network rules where also present, this is not necessarily true and causes apparmor to break when only the compatibility patch is applied. Signed-off-by: John Johansen john.johan...@canonical.com === modified file 'parser/parser_main.c' --- parser/parser_main.c2012-04-11 23:03:21 + +++ parser/parser_main.c2012-06-30 06:31:05 + @@ -873,6 +873,11 @@ //fprintf(stderr, flags string: %s\n, flags_string); //fprintf(stderr, changehat %d\n, flag_changehat_version); } + if (strstr(flags_string, network)) + kernel_supports_network = 1; + else + kernel_supports_network = 0; + return; fail: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679597: apparmor: AppArmor totally broken
Package: apparmor Version: 2.7.103-3 Severity: grave X-Debbugs-CC: john.johan...@canonical.com, k...@debian.org, mi...@riseup.net Hi, (following-up on #676515) John Johansen wrote (26 Jun 2012 17:48:38 GMT) : Okay, there are 4 kernel patches, not all of them are needed depending on whether the network patch is applied or not. If you don't want to apply the networking patch 0001-apparmor-remove-advertising-the-support-of-network-r.patch Stops the kernel interface from incorrectly advertising that it supports network rules. A further patch (not attached) to userspace will also have to be applied Thanks, John, for your work on this. For those who did not follow the entire saga, this patch was applied in the linux 3.2.21-3 source package, to complement the incomplete AppArmor compatibility patch, so Debian bug #676515 was closed, as the kernel side is now sorted out. So far, so good. However, as expected, this is not enough to make AppArmor usable, so the current state in current sid is still a regression compared to when the compatibility patch was not applied to the kernel: it used to be bad, but relatively usable, and it's now totally unusable. This bug is here to track the additional patch against userspace, that John mentioned was needed, which is confirmed by my experience. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
