[Bug 419308] [NEW] profile name matching behaves unexpectedly

Wed, 26 Aug 2009 09:05:48 -0700 

Public bug reported:

Karmic will be shipping an apparmor profile for firefox (bug #382917). This is 
a spec for the security team. Due to packaging constraints and maintenance, it 
must use matching for the profile name. Eg, with a profile name specified like 
this:
/usr/lib/firefox-3.5.*/firefox {
...

/usr/lib/firefox-3.5.2/firefox attaches and works (good).

However, this causes problems:
a) it improperly matches the *files* /usr/lib/firefox-3.5.foo, 
/usr/lib/firefox-3.5.bar
b) '/usr/lib/** ux' is too greedy-- ie will match /usr/l if nothing else is 
available
c) '/usr/bin/** px' won't attach if the profiled is confined

These issues are a surprising side-effect of using matching in the
profile name, and will cause bugs and problems when people modify the
firefox profile or develop their own profiles using profile name
matching.

** Affects: linux (Ubuntu)
     Importance: Medium
     Assignee: John Johansen (jjohansen)
         Status: In Progress

** Changed in: linux (Ubuntu)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu)
       Status: New => In Progress

** Changed in: linux (Ubuntu)
     Assignee: (unassigned) => John Johansen (jjohansen)

** Description changed:

  Karmic will be shipping an apparmor profile for firefox (bug #382917). This 
is a spec for the security team. Due to packaging constraints and maintenance, 
it must use matching for the profile name. Eg, with a profile name specified 
like this:
  /usr/lib/firefox-3.5.*/firefox {
  ...
  
  /usr/lib/firefox-3.5.2/firefox attaches and works (good).
  
  However, this causes problems:
- a) it improperly matches the *files* /usr/lib/firefox-3.5.foo, 
/usr/lib/firefox-3.5.bar. This is wrong and could cause problems if other 
versions of firefox are installed.
+ a) it improperly matches the *files* /usr/lib/firefox-3.5.foo, 
/usr/lib/firefox-3.5.bar
  b) '/usr/lib/** ux' is too greedy-- ie will match /usr/l if nothing else is 
available
  c) '/usr/bin/** px' won't attach if the profiled is confined
  
  These issues are a surprising side-effect of using matching in the
  profile name, and will cause bugs and problems when people modify the
  firefox profile or develop their own profiles using profile name
  matching.

-- 
profile name matching behaves unexpectedly
https://bugs.launchpad.net/bugs/419308
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to