Empty test profile ** Description changed:
+ SRU + + 1. Impact: affects ability of users/administrators trying to create or + adjust their apparmor policies. + + 2. Fixed in natty + + 3. Patch to SubDomain.pm is small (other portions of the patch add + testcases to the log parsing library to confirm that they handle the + corresponding apparmor event messages) and adds four tests to an if- + clause. See http://bazaar.launchpad.net/~apparmor- + dev/apparmor/release-2.5/revision/1432 for upstream commit. + + 4. TEST CASE + + (1) Add the attached empty test profile for /does/not/exist (named does.not.exist) to /etc/apparmor.d + (2) Reload apparmor policy via "sudo /etc/init.d/apparmor reload" + (3) Copy the test logfile to /tmp + (4) Run logprof on the test logfile; e.g. "sudo logprof -f /tmp/testlog" + + In the unfixed version, logprof will not prompt the user for any + rejections (it may ask about using the repository, answer disable or + later). In the fixed version, logprof should ask about three different + rejections: + + /var/lib/update-notifier/release-upgrade-available + /var/run/motd + /var/run/motd.new + + (select allow each time) + + (5) Regression potential is low, as the patch adds additional cases to + the apparmor perl library; it can only affect the tools used to adjust + apparmor profiles. + + Binary package hint: apparmor While developing a test profile(s) for sshd on lucid using logprof/genprof, the following rejections in dmesg were never processed by the tools: - [ 878.662172] type=1503 audit(1282626827.320:411): operation="truncate" pid=1957 parent=1 profile="/etc/update-motd.d/91-release-upgrade" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/update-notifier/release-upgrade-available" - [ 878.663410] type=1502 audit(1282626827.320:412): operation="rename_src" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/run/motd.new" - [ 878.663418] type=1502 audit(1282626827.320:413): operation="rename_dest" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="wc::" denied_mask="wc::" fsuid=0 ouid=0 name="/var/run/motd" + [ 878.662172] type=1503 audit(1282626827.320:411): operation="truncate" pid=1957 parent=1 profile="/etc/update-motd.d/91-release-upgrade" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/update-notifier/release-upgrade-available" + [ 878.663410] type=1502 audit(1282626827.320:412): operation="rename_src" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/run/motd.new" + [ 878.663418] type=1502 audit(1282626827.320:413): operation="rename_dest" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="wc::" denied_mask="wc::" fsuid=0 ouid=0 name="/var/run/motd" I first looked at the log parsing library under the assumption that it didn't understand these operations. After adding testcases for each message, I confirmed that it does indeed understand them and parses them properly. Looking at SubDomain.pm, however, it does not know about these additional operation types. ** Description changed: SRU 1. Impact: affects ability of users/administrators trying to create or adjust their apparmor policies. 2. Fixed in natty 3. Patch to SubDomain.pm is small (other portions of the patch add testcases to the log parsing library to confirm that they handle the corresponding apparmor event messages) and adds four tests to an if- clause. See http://bazaar.launchpad.net/~apparmor- dev/apparmor/release-2.5/revision/1432 for upstream commit. 4. TEST CASE (1) Add the attached empty test profile for /does/not/exist (named does.not.exist) to /etc/apparmor.d (2) Reload apparmor policy via "sudo /etc/init.d/apparmor reload" (3) Copy the test logfile to /tmp (4) Run logprof on the test logfile; e.g. "sudo logprof -f /tmp/testlog" In the unfixed version, logprof will not prompt the user for any rejections (it may ask about using the repository, answer disable or later). In the fixed version, logprof should ask about three different rejections: - /var/lib/update-notifier/release-upgrade-available - /var/run/motd - /var/run/motd.new + /var/lib/update-notifier/release-upgrade-available + /var/run/motd + /var/run/motd.new (select allow each time) - (5) Regression potential is low, as the patch adds additional cases to + 5. Regression potential is low, as the patch adds additional cases to the apparmor perl library; it can only affect the tools used to adjust apparmor profiles. - Binary package hint: apparmor While developing a test profile(s) for sshd on lucid using logprof/genprof, the following rejections in dmesg were never processed by the tools: [ 878.662172] type=1503 audit(1282626827.320:411): operation="truncate" pid=1957 parent=1 profile="/etc/update-motd.d/91-release-upgrade" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/update-notifier/release-upgrade-available" [ 878.663410] type=1502 audit(1282626827.320:412): operation="rename_src" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/run/motd.new" [ 878.663418] type=1502 audit(1282626827.320:413): operation="rename_dest" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="wc::" denied_mask="wc::" fsuid=0 ouid=0 name="/var/run/motd" I first looked at the log parsing library under the assumption that it didn't understand these operations. After adding testcases for each message, I confirmed that it does indeed understand them and parses them properly. Looking at SubDomain.pm, however, it does not know about these additional operation types. ** Attachment added: "does.not.exist" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/623467/+attachment/1722817/+files/does.not.exist -- SubDomain.pm does not know about truncate, rename_src, and rename_dest operations https://bugs.launchpad.net/bugs/623467 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
