Flaw in profile attachment with ** ?
John Johansen
john.johansen at canonical.com
Wed Jun 23 11:49:14 BST 2010
On 06/22/2010 08:12 PM, Seth Arnold wrote:
> On Tue, Jun 22, 2010 at 8:59 AM, John Johansen
> <john.johansen at canonical.com> wrote:
>>> So my hunch is that ** in profile names is flaky.
>>>
>> That is possible, though it does seem to work in general testing,
>> and I have not been able to reproduce this bug. :(
>
> Hrm. That doesn't bode well for me. :) But honestly, trying to write a
> test case to demonstrate that _all_ programs on the system remain
> unconfined except for the intentionally confined programs sounds
> difficult. (Not least of which, you've got to hit the exact right
> 'wrong' setup. Everything else in the man chain appeared to run
> correctly, I only ever saw grotty attached to the incorrect profile.
> So you've got to get enough different execs() during the testing to
> show the low probability of the mistake...)
>
Yes doing an exhaustive exec test isn't feasible, I was actually planning
on one making the exact kernel matching engine available in userspace,
and two adding graphing of compiled/compressed dfas, we do it already
for creation. The profile name dfa is smallest that it can be verified
by hand.
More information about the AppArmor
mailing list