This is an intentional change and bug fix in the new AppArmor. The old
AppArmor was always supposed to
mediate write access to directories, but due to a bug in the code it would not
under most circumstances.
AppArmor does mask and implicitly allow directory traversal (unix dac x perm on
directory).
New AppArmor handles directories as follows:
Directory permissions are separated from file permission with a trailing slash.
ie. /a/directory/
This allows distinction between allowing permission for a file and a directory.
old apparmor new apparmor
file permission /tmp rw, /tmp rw,
directory permission /tmp rw, /tmp/ rw,
With this change read access to directories may break existing profiles
because old profiles treated directories and files the same.
A good example of this behavior can be observed using a confined bash.
Tab completion will not work without explicit read access to a given
directory but access to a given file can still be allowed.
eg.
/bin/bash {
..
/tmp/foo r, #allow access to /tmp/foo but not /tmp/
}
as long as /tmp/ r, is not included in the profile then bash can not
read the directory so tab completion fails, but it can read the file
/tmp/foo. Again this is because directory traversal is implicitly
allowed through masking but read and write are not.
It is also important to note the behavior of AppArmors regexes, *, **, ?
rule behavior from old AppArmor to new AppArmor
/dir/* rw, #changed now only matches files
/dir/file* rw, #changed now only matches files
/dir/file*/ rw, #changed now only matches dirs - previous behavior
matched nothing
/dir/*file rw, #changed now only matches files
/dir/*file/ rw, #changed now only matches dirs - previous behavior
matched nothing
dir/*/file rw, #changed now only matches files
/dir/*/file/ rw, #changed now only matches dirs - previous behavior
matched nothing
/dir/** rw, #no change - matches files and directories
/dir/**/ rw, #changed only matches directories - previous behavior
matched nothing
/dir/**[^/] rw, #changed only matches files - previous behavior
matched files and dirs
/dir/foo** rw, #no change - matches files and directories
/dir/**foo rw, #changed matches only files
/dir/**foo/ rw, #changed match only dirs - previous behavior matched
nothing
/dir/**foo[^/] rw, #changed matches only files - previous behavior matched
files and dirs
/dir/**/foo rw, #changed only matches files
/dir/**/foo/ rw, #changed only matches dirs - previous behavior matched
nothing
/dir/**/foo[^/] rw, #changed only matches files - previous behavior matched
files and dirs
/dir/foo? rw, #changed matches only files - previous behavior matched
files and dirs
/dir/foo?/ rw, #changed matches only dirs - previous behavior matched
nothing
/dir/foo?/bar #changed only matches files - note directories that bar
are in are the same
To summarize there are changes in behavior (2 semantic and 1 bug fix):
1. directory access is specified separately from file access by a trailing /
2. directory read access is no longer implicit and must be specified.
3. the directory write access bug has been fixed, write access for dirs must
always be specified.
AppArmor has retained that directory traversal (unix dac x on dirs) is
implicitly allowed.
So for new AppArmor profiles must be updated to follow the new semantics
--
new apparmor not masking directory permissions correctly
https://bugs.launchpad.net/bugs/138978
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
