[apparmor] [PATCH] Profile unload fails on profile names with spaces

[Steve Beattie]

Hi Christian,

On Sat, Nov 27, 2010 at 11:10:39PM +0100, Christian Boltz wrote:
> long time ago I reported 
> https://bugzilla.novell.com/show_bug.cgi?id=510740
> 
> It was fixed in openSUSE 11.2 with an update, but obviously nobody 
> pushed the patch upstream, and therefore the bug is back in 11.3 and 
> even in the 2.5.1 packages in the security:apparmor buildservice repo.
> 
> Short summary: Unloading of profiles with a space in the name fails, 
> therefore "rcapparmor stop" (or restart) causes a funny message - and 
> the profile is still loaded.
> 
> You might want to read the bugreport (including comments 2 and 3) for 
> all the details - I learned a lot about bash's space handling of the 
> read command and what "echo: write error: No such file or directory" 
> (that's the exact error message) can mean besides the obvious meaning 
> while debugging this.
> 
> If you are on a hurry, just apply the attached patch to the file that is 
> installed as /lib/apparmor/rc.apparmor.functions.

Thanks, applied. I think the current kernel or parser code may have
other issues with trailing spaces in profile names; for example, loading
the following profile:

  "/does/not/existtt   " { #include <abstractions/base> }

on an Ubuntu Maverick kernel (2.6.35-23.37-server) and then grepping for
existt in /sys/kernel/security/apparmor/profiles results in:

  /does/not/existtt (enforce)

Dumping the debugging info via apparmor_parser -d makes it look like the
parser's front end is processing it correctly, but I can't tell if it's
the back end parser is dropping the trailing spaces or if its in the
kernel.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20101129/31a2a139/attachment-0001.pgp