Flaw in profile attachment with ** ?
Seth Arnold
seth.arnold at gmail.com
Tue Jun 22 12:46:28 BST 2010
I'm trying to track down:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/581525
Short version: /usr/bin/grotty was attached to the profile
/home/sarnold/Local/Io/**.
Long version:
I removed the /etc/init.d/origami profile that was triggering the bug
and rebooted.[1]
While writing my last email, I ran 'man 7 capabilities' and was very
surprised to see this in my logs:
[ 1522.241724] type=1503 audit(1277203315.363:78): operation="open"
pid=2915 parent=2913 profile="/home/sarnold/Local/io/**"
requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0
name="/usr/share/groff/1.20.1/font/devutf8/DESC"
Io (in ~/Local/Io/) is a neat little programming language I've been
toying with. It should be unrelated to groff.
/usr/bin/grotty is being attached to a profile with the name
/home/sarnold/Local/Io/**.
sarnold at haig:~$ strace -f -o /tmp/out man capabilities
sarnold at haig:~$ sudo aa-status
[sudo] password for sarnold:
apparmor module is loaded.
29 profiles are loaded.
28 profiles are in enforce mode.
/etc/init.d/ushare
/etc/init.d/ushare///bin/touch
/etc/init.d/ushare///sbin/start-stop-daemon
/etc/init.d/ushare///usr/bin/expr
/etc/init.d/ushare///usr/bin/tput
/home/sarnold/Local/io/**
/sbin/dhclient3
/usr/bin/cmake
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-thumbnailer
/usr/bin/googleearth
/usr/bin/irssi
/usr/bin/make
/usr/bin/origami
/usr/bin/ushare
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/firefox-3.6.3/firefox-*bin
/usr/lib/firefox-3.6.3/firefox-*bin//firefox_java
/usr/lib/firefox-3.6.3/firefox-*bin//firefox_openjdk
/usr/local/bin/echinus
/usr/local/bin/ourico
/usr/sbin/cupsd
/usr/sbin/tcpdump
/usr/sbin/tinyproxy
/usr/share/gdm/guest-session/Xsession
1 profiles are in complain mode.
/sbin/usplash_write
15 processes have profiles defined.
15 processes are in enforce mode :
/sbin/dhclient3 (1108)
/usr/lib/firefox-3.6.3/firefox-*bin (2719)
/usr/lib/firefox-3.6.3/firefox-*bin (2688)
/usr/sbin/cupsd (1881)
/usr/sbin/tinyproxy (1841)
/usr/sbin/tinyproxy (1860)
/usr/sbin/tinyproxy (1853)
/usr/sbin/tinyproxy (1855)
/usr/sbin/tinyproxy (1846)
/usr/sbin/tinyproxy (1851)
/usr/sbin/tinyproxy (1865)
/usr/sbin/tinyproxy (1858)
/usr/sbin/tinyproxy (1849)
/usr/sbin/tinyproxy (1862)
/usr/sbin/tinyproxy (1843)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
sarnold at haig:~$ grep /usr/share/groff/1.20.1/font/devutf8/DESC /tmp/out
2913 open("/usr/share/groff/1.20.1/font/devutf8/DESC", O_RDONLY
<unfinished ...>
2914 open("/usr/share/groff/1.20.1/font/devutf8/DESC", O_RDONLY) = 3
2915 open("/usr/share/groff/1.20.1/font/devutf8/DESC", O_RDONLY) = -1
EACCES (Permission denied)
sarnold at haig:~$ grep Io /tmp/out
sarnold at haig:~$ grep Local /tmp/out
2900 read(3, "# Locale name alias data base.\n#"..., 4096) = 2570
2907 <... read resumed> "# Locale name alias data base.\n#"..., 4096) = 2570
2911 <... read resumed> "# Locale name alias data base.\n#"..., 4096) = 2570
2912 <... read resumed> "# Locale name alias data base.\n#"..., 4096) = 2570
sarnold at haig:~$ grep 2915 /tmp/out | grep exec
2915 execve("/usr/bin/grotty", ["grotty"], [/* 41 vars */] <unfinished ...>
2915 <... execve resumed> ) = 0
Here's the profile:
# Last Modified: Sun Jun 20 23:58:04 2010
#include <tunables/global>
/home/sarnold/Local/io/** {
#include <abstractions/base>
owner /home/*/Local/io/** mr,
owner /dev/tty rw,
}
So my hunch is that ** in profile names is flaky.
[1] Funny story: I got no video from grub or anything past grub for
the first five or six reboots, and the machine rebooted on its own
several times. Oof. (I _really_ should have wondered before why I
never see grub. That'll be a fun todo item for tomorrow. Sigh.) But at
some point I finally got a getty that I could use to remove the
/etc/apparmor.d/etc.init.d.origami file, and after removing _that_,
then I was finally able to reboot back into X.
Thanks
More information about the AppArmor
mailing list