subject:"\[Touch\-packages\] \[Bug 1317555\] Re\: 'signal peer=@\{profile_name\}, ' does not work as expected when in a profile using a regex match as a name"

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

2015-06-13 Thread John Johansen

not really, comm= added by the audit subsystem and is set by the thread
the check is being done in, in kernel context.  Both the send and
receive check are being done in the same place so comm= will not change.
We are not in control of this so there is little we can do about it.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1317555

Title:
  'signal peer=@{profile_name},' does not work as expected when in a
  profile using a regex match as a name

Status in AppArmor Linux application security framework:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  Kees Cook reported signal mediation issues stemming from the 'signal
  peer=@{profile_name},' rule in the base abstraction. It does not work
  as expected when @{profile_name} contains a regex match. If an
  application confined with a profile that uses a regex match as the
  name attempts to signal itself, the signal is denied.

  Here's a simple reproducer:

  # Set up the test environment
  $ mkdir /tmp/test
  $ cd /tmp/test
  $ cp -a /bin/kill .
  $ cp -a /bin/sleep .

  # Run the unconfined test to verify that it works (it does)
  $ /tmp/test/sleep 30s 
  [2] 31464
  $ /tmp/test/kill -USR1 $!
  [2]+  User defined signal 1   /tmp/test/sleep 30s

  # Create and load the AppArmor profile
  $ cat  EOF  profile
  #include tunables/global

  /tmp/test/{kill,sleep} {
#include abstractions/base
file,
  }

  profile test {
#include abstractions/base
file,
  }
  EOF
  $ sudo apparmor_parser -r profile

  # Run the test under /tmp/test/{kill,sleep} confinement
  # Note that this will not work, likely due to the regex in the profile name
  $ /tmp/test/sleep 30s 
  [1] 31473
  $ /tmp/test/kill -USR1 $!

  # Look at the new denials
  # Oddly, comm=kill is in both denials, despite the denials being for send 
and receive masks
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send 
denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep}
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive 
denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep}

  # Run the test once more under the test profile (it succeeds)
  $ aa-exec -p test -- /tmp/test/sleep 30s 
  [1] 31476
  $ aa-exec -p test -- /tmp/test/kill -USR1 $!
  [1]+  User defined signal 1   aa-exec -p test -- /tmp/test/sleep 30s

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

2015-06-13 Thread Christian Boltz

Just to make sure this doesn't get lost/overlooked:

 # Oddly, comm=kill is in both denials, despite the denials being for
send and receive masks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1317555

Title:
  'signal peer=@{profile_name},' does not work as expected when in a
  profile using a regex match as a name

Status in AppArmor Linux application security framework:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  Kees Cook reported signal mediation issues stemming from the 'signal
  peer=@{profile_name},' rule in the base abstraction. It does not work
  as expected when @{profile_name} contains a regex match. If an
  application confined with a profile that uses a regex match as the
  name attempts to signal itself, the signal is denied.

  Here's a simple reproducer:

  # Set up the test environment
  $ mkdir /tmp/test
  $ cd /tmp/test
  $ cp -a /bin/kill .
  $ cp -a /bin/sleep .

  # Run the unconfined test to verify that it works (it does)
  $ /tmp/test/sleep 30s 
  [2] 31464
  $ /tmp/test/kill -USR1 $!
  [2]+  User defined signal 1   /tmp/test/sleep 30s

  # Create and load the AppArmor profile
  $ cat  EOF  profile
  #include tunables/global

  /tmp/test/{kill,sleep} {
#include abstractions/base
file,
  }

  profile test {
#include abstractions/base
file,
  }
  EOF
  $ sudo apparmor_parser -r profile

  # Run the test under /tmp/test/{kill,sleep} confinement
  # Note that this will not work, likely due to the regex in the profile name
  $ /tmp/test/sleep 30s 
  [1] 31473
  $ /tmp/test/kill -USR1 $!

  # Look at the new denials
  # Oddly, comm=kill is in both denials, despite the denials being for send 
and receive masks
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send 
denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep}
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive 
denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep}

  # Run the test once more under the test profile (it succeeds)
  $ aa-exec -p test -- /tmp/test/sleep 30s 
  [1] 31476
  $ aa-exec -p test -- /tmp/test/kill -USR1 $!
  [1]+  User defined signal 1   aa-exec -p test -- /tmp/test/sleep 30s

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

2015-06-10 Thread Kees Cook

Hit this bug again while trying to use:
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/14.04/usr.lib.postgresql.bin.postgres

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1317555

Title:
  'signal peer=@{profile_name},' does not work as expected when in a
  profile using a regex match as a name

Status in AppArmor Linux application security framework:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  Kees Cook reported signal mediation issues stemming from the 'signal
  peer=@{profile_name},' rule in the base abstraction. It does not work
  as expected when @{profile_name} contains a regex match. If an
  application confined with a profile that uses a regex match as the
  name attempts to signal itself, the signal is denied.

  Here's a simple reproducer:

  # Set up the test environment
  $ mkdir /tmp/test
  $ cd /tmp/test
  $ cp -a /bin/kill .
  $ cp -a /bin/sleep .

  # Run the unconfined test to verify that it works (it does)
  $ /tmp/test/sleep 30s 
  [2] 31464
  $ /tmp/test/kill -USR1 $!
  [2]+  User defined signal 1   /tmp/test/sleep 30s

  # Create and load the AppArmor profile
  $ cat  EOF  profile
  #include tunables/global

  /tmp/test/{kill,sleep} {
#include abstractions/base
file,
  }

  profile test {
#include abstractions/base
file,
  }
  EOF
  $ sudo apparmor_parser -r profile

  # Run the test under /tmp/test/{kill,sleep} confinement
  # Note that this will not work, likely due to the regex in the profile name
  $ /tmp/test/sleep 30s 
  [1] 31473
  $ /tmp/test/kill -USR1 $!

  # Look at the new denials
  # Oddly, comm=kill is in both denials, despite the denials being for send 
and receive masks
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send 
denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep}
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive 
denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep}

  # Run the test once more under the test profile (it succeeds)
  $ aa-exec -p test -- /tmp/test/sleep 30s 
  [1] 31476
  $ aa-exec -p test -- /tmp/test/kill -USR1 $!
  [1]+  User defined signal 1   aa-exec -p test -- /tmp/test/sleep 30s

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

2014-10-23 Thread Jamie Strandboge

** Tags added: aa-parser

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1317555

Title:
  'signal peer=@{profile_name},' does not work as expected when in a
  profile using a regex match as a name

Status in AppArmor Linux application security framework:
  Triaged
Status in “apparmor” package in Ubuntu:
  Triaged

Bug description:
  Kees Cook reported signal mediation issues stemming from the 'signal
  peer=@{profile_name},' rule in the base abstraction. It does not work
  as expected when @{profile_name} contains a regex match. If an
  application confined with a profile that uses a regex match as the
  name attempts to signal itself, the signal is denied.

  Here's a simple reproducer:

  # Set up the test environment
  $ mkdir /tmp/test
  $ cd /tmp/test
  $ cp -a /bin/kill .
  $ cp -a /bin/sleep .

  # Run the unconfined test to verify that it works (it does)
  $ /tmp/test/sleep 30s 
  [2] 31464
  $ /tmp/test/kill -USR1 $!
  [2]+  User defined signal 1   /tmp/test/sleep 30s

  # Create and load the AppArmor profile
  $ cat  EOF  profile
  #include tunables/global

  /tmp/test/{kill,sleep} {
#include abstractions/base
file,
  }

  profile test {
#include abstractions/base
file,
  }
  EOF
  $ sudo apparmor_parser -r profile

  # Run the test under /tmp/test/{kill,sleep} confinement
  # Note that this will not work, likely due to the regex in the profile name
  $ /tmp/test/sleep 30s 
  [1] 31473
  $ /tmp/test/kill -USR1 $!

  # Look at the new denials
  # Oddly, comm=kill is in both denials, despite the denials being for send 
and receive masks
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send 
denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep}
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive 
denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep}

  # Run the test once more under the test profile (it succeeds)
  $ aa-exec -p test -- /tmp/test/sleep 30s 
  [1] 31476
  $ aa-exec -p test -- /tmp/test/kill -USR1 $!
  [1]+  User defined signal 1   aa-exec -p test -- /tmp/test/sleep 30s

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

2014-10-15 Thread Jamie Strandboge

** Changed in: apparmor
   Importance: High = Medium

** Changed in: apparmor (Ubuntu)
   Importance: High = Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1317555

Title:
  'signal peer=@{profile_name},' does not work as expected when in a
  profile using a regex match as a name

Status in AppArmor Linux application security framework:
  Triaged
Status in “apparmor” package in Ubuntu:
  Triaged

Bug description:
  Kees Cook reported signal mediation issues stemming from the 'signal
  peer=@{profile_name},' rule in the base abstraction. It does not work
  as expected when @{profile_name} contains a regex match. If an
  application confined with a profile that uses a regex match as the
  name attempts to signal itself, the signal is denied.

  Here's a simple reproducer:

  # Set up the test environment
  $ mkdir /tmp/test
  $ cd /tmp/test
  $ cp -a /bin/kill .
  $ cp -a /bin/sleep .

  # Run the unconfined test to verify that it works (it does)
  $ /tmp/test/sleep 30s 
  [2] 31464
  $ /tmp/test/kill -USR1 $!
  [2]+  User defined signal 1   /tmp/test/sleep 30s

  # Create and load the AppArmor profile
  $ cat  EOF  profile
  #include tunables/global

  /tmp/test/{kill,sleep} {
#include abstractions/base
file,
  }

  profile test {
#include abstractions/base
file,
  }
  EOF
  $ sudo apparmor_parser -r profile

  # Run the test under /tmp/test/{kill,sleep} confinement
  # Note that this will not work, likely due to the regex in the profile name
  $ /tmp/test/sleep 30s 
  [1] 31473
  $ /tmp/test/kill -USR1 $!

  # Look at the new denials
  # Oddly, comm=kill is in both denials, despite the denials being for send 
and receive masks
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send 
denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep}
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive 
denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep}

  # Run the test once more under the test profile (it succeeds)
  $ aa-exec -p test -- /tmp/test/sleep 30s 
  [1] 31476
  $ aa-exec -p test -- /tmp/test/kill -USR1 $!
  [1]+  User defined signal 1   aa-exec -p test -- /tmp/test/sleep 30s

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

2014-10-08 Thread Jamie Strandboge

Is this bug actually 'High' priority? It seems more like medium or
possibly low.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1317555

Title:
  'signal peer=@{profile_name},' does not work as expected when in a
  profile using a regex match as a name

Status in AppArmor Linux application security framework:
  Triaged
Status in “apparmor” package in Ubuntu:
  Triaged

Bug description:
  Kees Cook reported signal mediation issues stemming from the 'signal
  peer=@{profile_name},' rule in the base abstraction. It does not work
  as expected when @{profile_name} contains a regex match. If an
  application confined with a profile that uses a regex match as the
  name attempts to signal itself, the signal is denied.

  Here's a simple reproducer:

  # Set up the test environment
  $ mkdir /tmp/test
  $ cd /tmp/test
  $ cp -a /bin/kill .
  $ cp -a /bin/sleep .

  # Run the unconfined test to verify that it works (it does)
  $ /tmp/test/sleep 30s 
  [2] 31464
  $ /tmp/test/kill -USR1 $!
  [2]+  User defined signal 1   /tmp/test/sleep 30s

  # Create and load the AppArmor profile
  $ cat  EOF  profile
  #include tunables/global

  /tmp/test/{kill,sleep} {
#include abstractions/base
file,
  }

  profile test {
#include abstractions/base
file,
  }
  EOF
  $ sudo apparmor_parser -r profile

  # Run the test under /tmp/test/{kill,sleep} confinement
  # Note that this will not work, likely due to the regex in the profile name
  $ /tmp/test/sleep 30s 
  [1] 31473
  $ /tmp/test/kill -USR1 $!

  # Look at the new denials
  # Oddly, comm=kill is in both denials, despite the denials being for send 
and receive masks
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send 
denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep}
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive 
denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep}

  # Run the test once more under the test profile (it succeeds)
  $ aa-exec -p test -- /tmp/test/sleep 30s 
  [1] 31476
  $ aa-exec -p test -- /tmp/test/kill -USR1 $!
  [1]+  User defined signal 1   aa-exec -p test -- /tmp/test/sleep 30s

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

6 matches

Site Navigation

Mail list logo

Footer information