Public bug reported:
The apparmor.d(5) manpage technically does say that an APPARMOR_PROFILE
consists of nonempty statements. However, AppArmor will rudely enforce
this by oopsing the kernel. This is confirmed on a Lucid 2.6.32-8 kernel
checked out from its git repo. I have not confirmed this on other
kernels yet.
TEST CASES:
(1) Note apparmor_parser validates this profile:
[jd...@hideout:/tmp]$ sudo apparmor_parser -d
apparmor_parser: cannot use or update cache, disable, or force-complain via
stdin
profile boom {}
^D
----- Debugging built structures -----
Name: boom
Profile Mode: Enforce
Capabilities:
[jd...@hideout:/tmp]$ echo $?
0
(2) Now, try to load this profile into the kernel
[jd...@hideout:/tmp]$ sudo apparmor_parser --add -K
apparmor_parser: cannot use or update cache, disable, or force-complain via
stdin
profile boom {}
[1] 6003 killed sudo apparmor_parser --add -K
(3) Looking in dmesg:
[184066.515809] BUG: unable to handle kernel NULL pointer dereference at (null)
[184066.515817] IP: [<ffffffff8125ee7d>] aa_unpack+0xdd/0x2d0
[184066.515867] PGD 5c974067 PUD 35d9d067 PMD 0
[184066.515872] Oops: 0000 [#7] SMP
[184066.515876] last sysfs file:
/sys/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0003:00/power_supply/ACAD/online
[184066.515885] CPU 0
[184066.515891] Modules linked in: vmblock vmmemctl vmhgfs pvscsi isofs udf
crc_itu_t acpiphp binfmt_misc sha256_generic cryptd aes_x86_64 aes_generic
dm_crypt snd_ens1371 gameport snd_ac97_codec ac97_bus snd_pcm_oss snd_mixer_oss
snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event
snd_seq snd_timer snd_seq_device ppdev lp iptable_filter parport_pc snd
soundcore ip_tables x_tables snd_page_alloc psmouse serio_raw parport i2c_piix4
shpchp btrfs zlib_deflate crc32c libcrc32c floppy e1000 mptspi mptscsih mptbase
scsi_transport_spi intel_agp
[184066.515940] Pid: 6003, comm: apparmor_parser Tainted: G D
2.6.32-8-generic #11 VMware Virtual Platform
[184066.515943] RIP: 0010:[<ffffffff8125ee7d>] [<ffffffff8125ee7d>]
aa_unpack+0xdd/0x2d0
[184066.515948] RSP: 0018:ffff88001d4d5e18 EFLAGS: 00010202
[184066.515951] RAX: ffff880000496000 RBX: ffff88001d4d5e58 RCX:
ffff880038c5125c
[184066.515953] RDX: 0000000000000000 RSI: 0000000000000008 RDI:
ffff88001d4d5e18
[184066.515956] RBP: ffff88001d4d5e48 R08: 0000000000000000 R09:
0000000000000000
[184066.515958] R10: 0000000000000001 R11: 0000000000000002 R12:
ffff88001d4d5e18
[184066.515961] R13: ffff88001d4d5f48 R14: 0000000000000001 R15:
0000000000000000
[184066.515981] FS: 00007f35567d8700(0000) GS:ffff880001c00000(0000)
knlGS:0000000000000000
[184066.515985] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[184066.515987] CR2: 0000000000000000 CR3: 000000004bce9000 CR4:
00000000000006f0
[184066.516023] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[184066.516047] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7:
0000000000000400
[184066.516051] Process apparmor_parser (pid: 6003, threadinfo
ffff88001d4d4000, task ffff880042a62ac0)
[184066.516103] Stack:
[184066.516105] ffff880038c51200 ffff880038c51273 ffff880038c51273
0000000000000005
[184066.516109] <0> ffff88001d4d5e58 0000000000000073 ffff88001d4d5ec8
ffffffff8125dffb
[184066.516114] <0> 0000000000000000 0000000000000020 ffffffff81710bfb
0000000000000000
[184066.516119] Call Trace:
[184066.516124] [<ffffffff8125dffb>] aa_interface_add_profiles+0xcb/0x1d0
[184066.516134] [<ffffffff81037499>] ? default_spin_lock_flags+0x9/0x10
[184066.516139] [<ffffffff8125a2ec>] aa_profile_load+0x3c/0x60
[184066.516146] [<ffffffff81127008>] vfs_write+0xb8/0x1a0
[184066.516152] [<ffffffff81548794>] ? do_page_fault+0x194/0x370
[184066.516156] [<ffffffff81127aac>] sys_write+0x4c/0x80
[184066.516163] [<ffffffff81012002>] system_call_fastpath+0x16/0x1b
[184066.516166] Code: 4c 89 e7 e8 46 fb ff ff 48 3d 00 f0 ff ff 0f 87 f2 01 00
00 44 8b 15 77 c2 58 00 45 85 d2 74 8d 48 8b 50 78 44 8b 88 80 00 00 00 <48> 8b
3a 44 8b 57 08 45 85 d2 0f 84 72 ff ff ff 48 83 c7 0c 45
[184066.516202] RIP [<ffffffff8125ee7d>] aa_unpack+0xdd/0x2d0
[184066.516206] RSP <ffff88001d4d5e18>
[184066.516208] CR2: 0000000000000000
[184066.516211] ---[ end trace c18b1f57d3da0166 ]---
On the bright side, the only effect seems to be a SIGKILL'ed
apparmor_parser -- the kernel doesn't appear to be wedged in anyway
after the fact. Still -- either apparmor_parser should refuse to load
such a profile, or the kernel should handle this a lot more gracefully!
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
AppArmor oops when loading an empty profile
https://bugs.launchpad.net/bugs/496110
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
