[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name
not really, comm= added by the audit subsystem and is set by the thread the check is being done in, in kernel context. Both the send and receive check are being done in the same place so comm= will not change. We are not in control of this so there is little we can do about it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1317555 Title: 'signal peer=@{profile_name},' does not work as expected when in a profile using a regex match as a name Status in AppArmor Linux application security framework: Triaged Status in apparmor package in Ubuntu: Triaged Bug description: Kees Cook reported signal mediation issues stemming from the 'signal peer=@{profile_name},' rule in the base abstraction. It does not work as expected when @{profile_name} contains a regex match. If an application confined with a profile that uses a regex match as the name attempts to signal itself, the signal is denied. Here's a simple reproducer: # Set up the test environment $ mkdir /tmp/test $ cd /tmp/test $ cp -a /bin/kill . $ cp -a /bin/sleep . # Run the unconfined test to verify that it works (it does) $ /tmp/test/sleep 30s [2] 31464 $ /tmp/test/kill -USR1 $! [2]+ User defined signal 1 /tmp/test/sleep 30s # Create and load the AppArmor profile $ cat EOF profile #include tunables/global /tmp/test/{kill,sleep} { #include abstractions/base file, } profile test { #include abstractions/base file, } EOF $ sudo apparmor_parser -r profile # Run the test under /tmp/test/{kill,sleep} confinement # Note that this will not work, likely due to the regex in the profile name $ /tmp/test/sleep 30s [1] 31473 $ /tmp/test/kill -USR1 $! # Look at the new denials # Oddly, comm=kill is in both denials, despite the denials being for send and receive masks type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep} type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep} # Run the test once more under the test profile (it succeeds) $ aa-exec -p test -- /tmp/test/sleep 30s [1] 31476 $ aa-exec -p test -- /tmp/test/kill -USR1 $! [1]+ User defined signal 1 aa-exec -p test -- /tmp/test/sleep 30s To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name
Just to make sure this doesn't get lost/overlooked: # Oddly, comm=kill is in both denials, despite the denials being for send and receive masks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1317555 Title: 'signal peer=@{profile_name},' does not work as expected when in a profile using a regex match as a name Status in AppArmor Linux application security framework: Triaged Status in apparmor package in Ubuntu: Triaged Bug description: Kees Cook reported signal mediation issues stemming from the 'signal peer=@{profile_name},' rule in the base abstraction. It does not work as expected when @{profile_name} contains a regex match. If an application confined with a profile that uses a regex match as the name attempts to signal itself, the signal is denied. Here's a simple reproducer: # Set up the test environment $ mkdir /tmp/test $ cd /tmp/test $ cp -a /bin/kill . $ cp -a /bin/sleep . # Run the unconfined test to verify that it works (it does) $ /tmp/test/sleep 30s [2] 31464 $ /tmp/test/kill -USR1 $! [2]+ User defined signal 1 /tmp/test/sleep 30s # Create and load the AppArmor profile $ cat EOF profile #include tunables/global /tmp/test/{kill,sleep} { #include abstractions/base file, } profile test { #include abstractions/base file, } EOF $ sudo apparmor_parser -r profile # Run the test under /tmp/test/{kill,sleep} confinement # Note that this will not work, likely due to the regex in the profile name $ /tmp/test/sleep 30s [1] 31473 $ /tmp/test/kill -USR1 $! # Look at the new denials # Oddly, comm=kill is in both denials, despite the denials being for send and receive masks type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep} type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep} # Run the test once more under the test profile (it succeeds) $ aa-exec -p test -- /tmp/test/sleep 30s [1] 31476 $ aa-exec -p test -- /tmp/test/kill -USR1 $! [1]+ User defined signal 1 aa-exec -p test -- /tmp/test/sleep 30s To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name
Hit this bug again while trying to use: http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/14.04/usr.lib.postgresql.bin.postgres -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1317555 Title: 'signal peer=@{profile_name},' does not work as expected when in a profile using a regex match as a name Status in AppArmor Linux application security framework: Triaged Status in apparmor package in Ubuntu: Triaged Bug description: Kees Cook reported signal mediation issues stemming from the 'signal peer=@{profile_name},' rule in the base abstraction. It does not work as expected when @{profile_name} contains a regex match. If an application confined with a profile that uses a regex match as the name attempts to signal itself, the signal is denied. Here's a simple reproducer: # Set up the test environment $ mkdir /tmp/test $ cd /tmp/test $ cp -a /bin/kill . $ cp -a /bin/sleep . # Run the unconfined test to verify that it works (it does) $ /tmp/test/sleep 30s [2] 31464 $ /tmp/test/kill -USR1 $! [2]+ User defined signal 1 /tmp/test/sleep 30s # Create and load the AppArmor profile $ cat EOF profile #include tunables/global /tmp/test/{kill,sleep} { #include abstractions/base file, } profile test { #include abstractions/base file, } EOF $ sudo apparmor_parser -r profile # Run the test under /tmp/test/{kill,sleep} confinement # Note that this will not work, likely due to the regex in the profile name $ /tmp/test/sleep 30s [1] 31473 $ /tmp/test/kill -USR1 $! # Look at the new denials # Oddly, comm=kill is in both denials, despite the denials being for send and receive masks type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep} type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep} # Run the test once more under the test profile (it succeeds) $ aa-exec -p test -- /tmp/test/sleep 30s [1] 31476 $ aa-exec -p test -- /tmp/test/kill -USR1 $! [1]+ User defined signal 1 aa-exec -p test -- /tmp/test/sleep 30s To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name
** Tags added: aa-parser -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1317555 Title: 'signal peer=@{profile_name},' does not work as expected when in a profile using a regex match as a name Status in AppArmor Linux application security framework: Triaged Status in “apparmor” package in Ubuntu: Triaged Bug description: Kees Cook reported signal mediation issues stemming from the 'signal peer=@{profile_name},' rule in the base abstraction. It does not work as expected when @{profile_name} contains a regex match. If an application confined with a profile that uses a regex match as the name attempts to signal itself, the signal is denied. Here's a simple reproducer: # Set up the test environment $ mkdir /tmp/test $ cd /tmp/test $ cp -a /bin/kill . $ cp -a /bin/sleep . # Run the unconfined test to verify that it works (it does) $ /tmp/test/sleep 30s [2] 31464 $ /tmp/test/kill -USR1 $! [2]+ User defined signal 1 /tmp/test/sleep 30s # Create and load the AppArmor profile $ cat EOF profile #include tunables/global /tmp/test/{kill,sleep} { #include abstractions/base file, } profile test { #include abstractions/base file, } EOF $ sudo apparmor_parser -r profile # Run the test under /tmp/test/{kill,sleep} confinement # Note that this will not work, likely due to the regex in the profile name $ /tmp/test/sleep 30s [1] 31473 $ /tmp/test/kill -USR1 $! # Look at the new denials # Oddly, comm=kill is in both denials, despite the denials being for send and receive masks type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep} type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep} # Run the test once more under the test profile (it succeeds) $ aa-exec -p test -- /tmp/test/sleep 30s [1] 31476 $ aa-exec -p test -- /tmp/test/kill -USR1 $! [1]+ User defined signal 1 aa-exec -p test -- /tmp/test/sleep 30s To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name
** Changed in: apparmor Importance: High = Medium ** Changed in: apparmor (Ubuntu) Importance: High = Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1317555 Title: 'signal peer=@{profile_name},' does not work as expected when in a profile using a regex match as a name Status in AppArmor Linux application security framework: Triaged Status in “apparmor” package in Ubuntu: Triaged Bug description: Kees Cook reported signal mediation issues stemming from the 'signal peer=@{profile_name},' rule in the base abstraction. It does not work as expected when @{profile_name} contains a regex match. If an application confined with a profile that uses a regex match as the name attempts to signal itself, the signal is denied. Here's a simple reproducer: # Set up the test environment $ mkdir /tmp/test $ cd /tmp/test $ cp -a /bin/kill . $ cp -a /bin/sleep . # Run the unconfined test to verify that it works (it does) $ /tmp/test/sleep 30s [2] 31464 $ /tmp/test/kill -USR1 $! [2]+ User defined signal 1 /tmp/test/sleep 30s # Create and load the AppArmor profile $ cat EOF profile #include tunables/global /tmp/test/{kill,sleep} { #include abstractions/base file, } profile test { #include abstractions/base file, } EOF $ sudo apparmor_parser -r profile # Run the test under /tmp/test/{kill,sleep} confinement # Note that this will not work, likely due to the regex in the profile name $ /tmp/test/sleep 30s [1] 31473 $ /tmp/test/kill -USR1 $! # Look at the new denials # Oddly, comm=kill is in both denials, despite the denials being for send and receive masks type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep} type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep} # Run the test once more under the test profile (it succeeds) $ aa-exec -p test -- /tmp/test/sleep 30s [1] 31476 $ aa-exec -p test -- /tmp/test/kill -USR1 $! [1]+ User defined signal 1 aa-exec -p test -- /tmp/test/sleep 30s To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name
Is this bug actually 'High' priority? It seems more like medium or possibly low. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1317555 Title: 'signal peer=@{profile_name},' does not work as expected when in a profile using a regex match as a name Status in AppArmor Linux application security framework: Triaged Status in “apparmor” package in Ubuntu: Triaged Bug description: Kees Cook reported signal mediation issues stemming from the 'signal peer=@{profile_name},' rule in the base abstraction. It does not work as expected when @{profile_name} contains a regex match. If an application confined with a profile that uses a regex match as the name attempts to signal itself, the signal is denied. Here's a simple reproducer: # Set up the test environment $ mkdir /tmp/test $ cd /tmp/test $ cp -a /bin/kill . $ cp -a /bin/sleep . # Run the unconfined test to verify that it works (it does) $ /tmp/test/sleep 30s [2] 31464 $ /tmp/test/kill -USR1 $! [2]+ User defined signal 1 /tmp/test/sleep 30s # Create and load the AppArmor profile $ cat EOF profile #include tunables/global /tmp/test/{kill,sleep} { #include abstractions/base file, } profile test { #include abstractions/base file, } EOF $ sudo apparmor_parser -r profile # Run the test under /tmp/test/{kill,sleep} confinement # Note that this will not work, likely due to the regex in the profile name $ /tmp/test/sleep 30s [1] 31473 $ /tmp/test/kill -USR1 $! # Look at the new denials # Oddly, comm=kill is in both denials, despite the denials being for send and receive masks type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep} type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep} # Run the test once more under the test profile (it succeeds) $ aa-exec -p test -- /tmp/test/sleep 30s [1] 31476 $ aa-exec -p test -- /tmp/test/kill -USR1 $! [1]+ User defined signal 1 aa-exec -p test -- /tmp/test/sleep 30s To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp