[Kernel-packages] [Bug 1734038] Re: Potential regression found with apparmor test on Xenial/Zesty
> There is also a python parser (in aa.py) which only seems to understand the > 'include ' > syntax and it is this which throws errors when running the utility commands. Exactly, that's the cause of this bug. I'll change the title to make it obvious. Interestingly, it has been this way for years (I checked 2.9, but it probably also affects even older versions) without someone noticing it. Therefore this bug doesn't qualify as regression IMHO ;-) ** Summary changed: - Potential regression found with apparmor test on Xenial/Zesty + utils don't understand «include "/where/ever"» (was: Potential regression found with apparmor test on Xenial/Zesty) ** Also affects: apparmor Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1734038 Title: utils don't understand «include "/where/ever"» (was: Potential regression found with apparmor test on Xenial/Zesty) Status in AppArmor: New Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Status in snapd package in Ubuntu: Invalid Bug description: Issue found with Xenial kernel 4.4.0-102 and Zesty kernel 4.10.0-41, across different architectures Multiple tests from ubuntu_qrt_apparmor test suite failed with the same error message: ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/usr.lib.snapd.snap-confine.real line 15: include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r, (BTW the include and this ld.so.cache are not in the same line, please refer to comment #3 for attachment) This issue will gone if you downgrade the snapd and ubuntu-core-launcher package: sudo apt-get install snapd=2.28.5 ubuntu-core-launcher=2.28.5 Debug information: ubuntu@kernel01:~$ snap version snap2.29.3 snapd 2.29.3 series 16 ubuntu 16.04 kernel 4.4.0-102-generic ubuntu@kernel01:~$ apt list snapd Listing... Done snapd/xenial-proposed,now 2.29.3 s390x [installed] N: There are 2 additional versions. Please use the '-a' switch to see them. ubuntu@kernel01:~$ apt list apparmor -a Listing... Done apparmor/xenial-updates,now 2.10.95-0ubuntu2.7 s390x [installed] apparmor/xenial-security 2.10.95-0ubuntu2.6 s390x apparmor/xenial 2.10.95-0ubuntu2 s390x Steps to run the Apparmor test from QA Regression testing suite: 1. git clone --depth 1 https://git.launchpad.net/qa-regression-testing 2. sudo ./qa-regression-testing/scripts/test-apparmor.py ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: linux-image-4.4.0-102-generic 4.4.0-102.125 ProcVersionSignature: Ubuntu 4.4.0-102.125-generic 4.4.98 Uname: Linux 4.4.0-102-generic s390x NonfreeKernelModules: zfs zunicode zcommon znvpair zavl AlsaDevices: Error: command ['ls', '-l', '/dev/snd/'] failed with exit code 2: ls: cannot access '/dev/snd/': No such file or directory AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.1-0ubuntu2.13 Architecture: s390x ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. CurrentDmesg: Date: Thu Nov 23 01:36:31 2017 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lspci: Lsusb: Error: command ['lsusb'] failed with exit code 1: PciMultimedia: ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C SHELL=/bin/bash ProcFB: Error: [Errno 2] No such file or directory: '/proc/fb' ProcKernelCmdLine: root=UUID=44b0b919-a1a4-4849-9425-e71d4ac87d85 crashkernel=196M BOOT_IMAGE=0 RelatedPackageVersions: linux-restricted-modules-4.4.0-102-generic N/A linux-backports-modules-4.4.0-102-generic N/A linux-firmware 1.157.13 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1734038/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615895] Re: apparmor module parameters can be changed after the policy is locked
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615895 Title: apparmor module parameters can be changed after the policy is locked Status in AppArmor: New Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Bug description: the policy_lock parameter is a one way switch that prevents policy from being further modified. Unfortunately some of the module parameters can effectively modify policy by turning off enforcement. split policy_admin_capable into a view check and a full admin check, and update the admin check to test the policy_lock parameter. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615895/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1592547] Re: vmalloc failure leads to null ptr dereference in aa_dfa_next
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1592547 Title: vmalloc failure leads to null ptr dereference in aa_dfa_next Status in AppArmor: New Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Bug description: running stress-ng apparmor stressor with a vmalloc NULL return trips a null ptr dereference in aa_dfa_next: $ uname -a Linux ubuntu 4.4.0-24-generic #43 [ 46.271517] BUG: unable to handle kernel NULL pointer dereference at 0020 [ 46.271641] IP: [] aa_dfa_next+0x6/0x70 [ 46.271743] PGD 39ebd067 PUD 39ebe067 PMD 0 [ 46.271833] Oops: [#1] SMP [ 46.271926] Modules linked in: jitterentropy_rng algif_rng salsa20_generic salsa20_x86_64 camellia_generic camellia_aesni_avx_x86_64 camellia_x86_64 cast6_avx_x86_64 cast6_generic cast_common serpent_avx_x86_64 serpent_sse2_x86_64 serpent_generic twofish_generic twofish_avx_x86_64 twofish_x86_64_3way twofish_x86_64 twofish_common xts algif_skcipher tgr192 wp512 rmd320 rmd256 rmd160 rmd128 md4 algif_hash af_alg ppdev snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm input_leds joydev snd_timer serio_raw snd soundcore i2c_piix4 mac_hid 8250_fintek parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq [ 46.273290] libcrc32c raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl aesni_intel aes_x86_64 lrw gf128mul ttm drm_kms_helper glue_helper ablk_helper cryptd syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse drm floppy 8139cp mii pata_acpi [ 46.274250] CPU: 0 PID: 1349 Comm: stress-ng-appar Not tainted 4.4.0-24-generic #43 [ 46.274436] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 46.274632] task: 8800374be040 ti: 88003746c000 task.ti: 88003746c000 [ 46.274854] RIP: 0010:[] [] aa_dfa_next+0x6/0x70 [ 46.275072] RSP: 0018:88003746fca8 EFLAGS: 00010282 [ 46.275450] RAX: RBX: 0003 RCX: 4a46 [ 46.275934] RDX: 0002 RSI: 0001 RDI: [ 46.276348] RBP: 88003746fd28 R08: 88003fc19f40 R09: 88003e001d00 [ 46.276757] R10: 88003da8e600 R11: 88003e001500 R12: 88003746fd48 [ 46.276979] R13: 88003acc4800 R14: 88003acc4894 R15: 0029 [ 46.277202] FS: 7f7198a0f700() GS:88003fc0() knlGS: [ 46.277500] CS: 0010 DS: ES: CR0: 80050033 [ 46.278006] CR2: 0020 CR3: 39ebc000 CR4: 001406f0 [ 46.278592] Stack: [ 46.278846] 88003746fd28 81383585 [ 46.279271] 3746fd00 c9000268e400 [ 46.279860] 88003746fd40 5833b243 88003746fe28 [ 46.280311] Call Trace: [ 46.280606] [] ? unpack_profile+0x5c5/0x970 [ 46.280854] [] aa_unpack+0xe9/0x450 [ 46.281091] [] aa_replace_profiles+0x77/0xb70 [ 46.281341] [] ? vmalloc+0x6b/0x70 [ 46.281610] [] policy_update+0x9f/0x1f0 [ 46.281887] [] profile_replace+0x13/0x20 [ 46.282169] [] __vfs_write+0x18/0x40 [ 46.282444] [] vfs_write+0xa9/0x1a0 [ 46.282728] [] ? do_sys_open+0x1bf/0x2a0 [ 46.283418] [] SyS_write+0x55/0xc0 [ 46.284188] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 46.284753] Code: 0c 42 39 ce 74 d9 0f b6 02 41 0f b7 34 7b 84 c0 75 d9 eb c3 41 0f b7 34 44 eb 89 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 <48> 8b 47 20 4c 8b 5f 28 4c 8b 57 40 48 89 e5 4c 8b 4f 18 48 8d [ 46.285401] RIP [] aa_dfa_next+0x6/0x70 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1592547/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615890 Title: stacking to unconfined in a child namespace confuses mediation Status in AppArmor: New Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Bug description: when viewing a stack involving unconfined from across a ns boundary the mode is reported as mixed. Eg. lxc-container-default//&:lxdns1://unconfined (mixed) This is because the unconfined profile is in the special unconfined mode. Which will result in a (mixed) mode for any stack with profiles in enforcing or complain mode. This can however lead to confusion as to what mode is being used as mixed is also used for enforcing stacked with complain, and This can also currently messes up mediation of trusted helpers like dbus. Since unconfined doesn't affect the stack just special case it. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615890/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615881] Re: The label build for onexec when stacking is wrong
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615881 Title: The label build for onexec when stacking is wrong Status in AppArmor: New Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Bug description: The label build for onexec when crossing a namespace boundry is not quite correct. The label needs to be built per profile and not based on the whole label because the onexec transition only applies to profiles within the ns. Where merging against the label could include profile that are transitioned via the profile_transition callback and should not be in the final label. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615881/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615887 Title: profiles from different namespaces can block other namespaces from being able to load a profile Status in AppArmor: New Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Bug description: If ns1 has a profile A in it. It can cause loading a profile with the name A into ns2, and if it does succeed can result in compound labels crossing namespaces resulting in mediation not from one ns being applied to another. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615887/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615880] Re: The inherit check for new to old label comparison for domain transitions is wrong
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615880 Title: The inherit check for new to old label comparison for domain transitions is wrong Status in AppArmor: New Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Bug description: For the purposes of inherit we should be treating a profile/label transition to its replacement as if the replacement is the profile/label. So make the comparison based off of the label proxy, not the label itself. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615880/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615893] Re: change_hat is logging failures during expected hat probing
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615893 Title: change_hat is logging failures during expected hat probing Status in AppArmor: New Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Bug description: change_hat using probing to find and transition to the first available hat. Hats missing as part of this probe are expected and should not be logged except in complain mode. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615893/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615889] Re: label vec reductions can result in reference labels instead of direct access to labels
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615889 Title: label vec reductions can result in reference labels instead of direct access to labels Status in AppArmor: New Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Bug description: The label vec cleanup/reduction can result in a reference label which while not causing wrong mediation is effectively a reference leak as the label will populate the label tree, consume memory and not be removed, it will only reduce to a reference of replacement vars. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615892] Re: deleted files outside of the namespace are not being treated as disconnected
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615892 Title: deleted files outside of the namespace are not being treated as disconnected Status in AppArmor: New Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Bug description: Deleted files outside of the namespace should be treated the same as other disconnected files To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615892/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615878] Re: __label_update proxy comparison test is wrong
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615878 Title: __label_update proxy comparison test is wrong Status in AppArmor: New Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Bug description: The comparing the proxy pointer, not the address of the labels proxy pointer. This results in labels that shouldn't entering into the invalidate label update path. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615878/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615882] Re: dfa is missing a bounds check which can cause an oops
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615882 Title: dfa is missing a bounds check which can cause an oops Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Incomplete Bug description: A custom crafted or corrupted binary profile can cause an oops when loaded due to a missing bounds check To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615882/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1408833] Re: broken postinst test for uvtool-libvirt
** Tags added: aa-kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1408833 Title: broken postinst test for uvtool-libvirt Status in AppArmor: Confirmed Status in openstack-installer: Confirmed Status in uvtool: Invalid Status in linux package in Ubuntu: Fix Released Status in linux source package in Utopic: Fix Released Bug description: Installing uvtool-libvirt *inside an lxc container* on utopic fails due to a test in the postinst script. It uses socat on the libvirt socket, which fails, despite libvirt being installed correctly. ubuntu@uoi-bootstrap:~$ sudo apt-get install -f Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: libfreetype6 os-prober Use 'apt-get autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 19 not upgraded. 1 not fully installed or removed. After this operation, 0 B of additional disk space will be used. Setting up uvtool-libvirt (0~bzr92-0ubuntu2) ... 2015/01/08 13:01:34 socat[10184] E read(3, 0x13b2a30, 8192): Permission denied libvirtd does not appear to be listening on "/var/run/libvirt/libvirt-sock". On Ubuntu, libvirtd is managed with the "libvirt-bin" upstart job. Repair libvirtd, then reconfigure uvtool-libvirt with: sudo apt-get -f install dpkg: error processing package uvtool-libvirt (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: uvtool-libvirt E: Sub-process /usr/bin/dpkg returned an error code (1) ubuntu@uoi-bootstrap:~$ ps -ef | grep libvirt libvirt+ 9556 1 0 09:52 ?00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper root 9557 9556 0 09:52 ?00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper root 9854 1 0 10:24 ?00:00:00 /usr/sbin/libvirtd -d ubuntu 10155 10120 0 12:56 pts/000:00:00 grep libvirt ubuntu@uoi-bootstrap:~$ groups ubuntu adm dialout cdrom floppy sudo audio dip video plugdev netdev libvirtd ubuntu@uoi-bootstrap:~$ virsh list IdName State for a little more context, there are notes here: https://gist.github.com/mikemccracken/53c665e6094db21efc03 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1408833/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1609885] Re: exec transitions to profiles with '.' in name don't work
** Tags added: aa-parser
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1609885
Title:
exec transitions to profiles with '.' in name don't work
Status in AppArmor:
New
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Yakkety:
Incomplete
Bug description:
If a child profile has '.' in the name, then the parser fails to compile the
policy:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found
unexpected character: '.'
If put a child profile with '.' in the name in a variable, the parser
compiles the policy but the exec transition fails:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
/tmp/with.dots: 3: /tmp/with.dots: cat: Permission denied
denial is:
apparmor="DENIED" operation="exec" info="profile transition not found"
error=-13 profile="test" name="/bin/cat" pid=18219 comm="with.dots"
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
$ cat /tmp/test.sh
#!/bin/sh
cat /proc/version
$ cat /tmp/profile
#include
@{TARGET_PROFILE}="with.dots"
profile test {
#include
#include
/tmp/test.sh r,
# parser error:
# AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found
# unexpected character: '.'
/{,usr/}bin/cat cx -> with.dots,
# fail to transition:
# apparmor="DENIED" operation="exec" info="profile transition not found"
# error=-13 profile="test" name="/bin/cat" pid=18105 comm="with.dots"
# requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
#/{,usr/}bin/cat cx -> @{TARGET_PROFILE},
# ok
#/{,usr/}bin/cat cx -> no_dots,
profile with.dots {
#include
@{PROC}/version r,
/{,usr/}bin/cat r,
}
profile no_dots {
#include
@{PROC}/version r,
/{,usr/}bin/cat r,
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1609885/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1373070] Re: full fix for disconnected path (paths)
As expected, that's a totally different issue. Please add /dev/log r, to your rsyslogd profile. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1373070 Title: full fix for disconnected path (paths) Status in cups package in Ubuntu: Fix Released Status in linux package in Ubuntu: Triaged Status in rsyslog package in Ubuntu: New Bug description: With the apparmor 3 RC1 upload, there is an incomplete bug fix for disconnected paths. This bug is to track that work. This denial may be related: Sep 23 10:10:50 localhost kernel: [40262.517799] audit: type=1400 audit(1411485050.722:2862): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/rsyslogd" name="dev/log" pid=7011 comm="logger" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 This is related to bug 1375410 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1373070/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1545776] Re: 14.04 kernel does not log exec properly and aa-logprof fails
The aa-logprof crash with empty denied_mask is already fixed in bzr, see
bug 1525119
** Tags removed: apparmo
** Tags added: aa-kernel apparmor
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1545776
Title:
14.04 kernel does not log exec properly and aa-logprof fails
Status in AppArmor:
New
Status in apparmor package in Ubuntu:
New
Status in linux package in Ubuntu:
Confirmed
Bug description:
Ubuntu 14.04's kernel (tested 3.13.0-32-generic) does not log exec
properly in audit.log when in complain mode, so aa-logprof will not
work.
Here is test.bash
-
#!/bin/bash
echo "hi"
ls /tmp
find /tmp
-
Here is /etc/apparmor.d/root.tmp.test.bash (which was created with aa-genprof
and edited with aa-logprof):
-
# Last Modified: Mon Feb 15 16:05:05 2016
#include
/root/tmp/test.bash flags=(complain) {
#include
#include
#include
/bin/ls r,
/proc/filesystems r,
/proc/meminfo r,
/root/tmp/ r,
/root/tmp/test.bash r,
/tmp/** rwlk,
/usr/bin/find r,
}
-
Here are the results in audit.log with a stock kernel, and a
vanilla+grsecurity 4.3.5 kernel:
# uname -a
Linux apparmortest 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC
2014 x86_64 x86_64 x86_64 GNU/Linux
enforce mode:
-
type=AVC msg=audit(1455548893.569:18246): apparmor="DENIED" operation="exec"
profile="/root/tmp/test.bash" name="/bin/ls" pid=9767 comm="test.bash"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455548893.569:18246): arch=c03e syscall=59
success=no exit=-13 a0=8c1d88 a1=8c1988 a2=8c2c08 a3=7fffd820cac0 items=0
ppid=9766 pid=9767 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
type=AVC msg=audit(1455548893.573:18247): apparmor="DENIED" operation="exec"
profile="/root/tmp/test.bash" name="/usr/bin/find" pid=9768 comm="test.bash"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455548893.573:18247): arch=c03e syscall=59
success=no exit=-13 a0=8c2908 a1=8c1988 a2=8c2c08 a3=7fffd820cac0 items=0
ppid=9766 pid=9768 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
[this is full output]
-
complain mode:
-
type=AVC msg=audit(1455548922.473:18249): apparmor="ALLOWED" operation="exec"
profile="/root/tmp/test.bash" pid=9772 comm="test.bash" requested_mask="x"
denied_mask="x" fsuid=0 ouid=0 target="/root/tmp/test.bash//null-53"
type=SYSCALL msg=audit(1455548922.473:18249): arch=c03e syscall=59
success=yes exit=0 a0=10c6d88 a1=10c6988 a2=10c7c08 a3=7fff57ced540 items=0
ppid=9771 pid=9772 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=2 comm="ls" exe="/bin/ls" key=(null)
[... much longer...]]
-
# uname -a
Linux apparmortest 4.3.5-grsec+ #1 SMP Fri Feb 12 18:53:52 CET 2016 x86_64
x86_64 x86_64 GNU/Linux
enforce
-
type=AVC msg=audit(1455549782.598:50): apparmor="DENIED" operation="exec"
profile="/root/tmp/test.bash" name="/bin/ls" pid=1710 comm="test.bash"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455549782.598:50): arch=c03e syscall=59
success=no exit=-13 a0=d9eb88 a1=d9cf08 a2=d9dc08 a3=79f56cef8bd0 items=0
ppid=1709 pid=1710 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts3 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
type=UNKNOWN[1327] msg=audit(1455549782.598:50):
proctitle=2F62696E2F62617368002E2F746573742E62617368
type=AVC msg=audit(1455549782.598:51): apparmor="DENIED" operation="exec"
profile="/root/tmp/test.bash" name="/usr/bin/find" pid=1711 comm="test.bash"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
type=SYSCALL msg=audit(1455549782.598:51): arch=c03e syscall=59
success=no exit=-13 a0=d9ee88 a1=d9cf08 a2=d9dc08 a3=79f56cef8bd0 items=0
ppid=1709 pid=1711 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts3 ses=2 comm="test.bash" exe="/bin/bash" key=(null)
type=UNKNOWN[1327] msg=audit(1455549782.598:51):
proctitle=2F62696E2F62617368002E2F746573742E62617368
-
complain
-
type=AVC msg=audit(1455549804.810:57): apparmor="ALLOWED" operation="exec"
profile="/root/tmp/test.bash" name="/bin/ls" pid=1750 comm="test.bash"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
target="/root/tmp/test.bash//null-1"
type=SYSCALL msg=audit(1455549804.810:57): arch=c03e syscall=59
success=yes exit=0 a0=20ddd08 a1=20dcb88 a2=20dcc08 a3=76f9147845e0 items=0
ppid=1749 pid=1750 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts3 ses=2 comm="ls" exe="/bin/ls" key=(null)
