[apparmor] [Bug 623467] Re: SubDomain.pm does not know about truncate, rename_src, and rename_dest operations

Jamie Strandboge jamie at ubuntu.com
Mon Mar 14 15:45:23 UTC 2011

** Changed in: apparmor (Ubuntu)
     Assignee: Leif Atle Vold (lvold7355) => (unassigned)

** Changed in: apparmor
     Assignee: Leif Atle Vold (lvold7355) => (unassigned)

** Changed in: apparmor
       Status: Incomplete => Fix Released

You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.

  SubDomain.pm does not know about truncate, rename_src, and rename_dest

Status in AppArmor Linux application security framework:
  Fix Released
Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor” source package in Lucid:
  Fix Released

Bug description:

  1. Impact: affects ability of users/administrators trying to create or
  adjust their apparmor policies.

  2. Fixed in natty

  3. Patch to SubDomain.pm is small (other portions of the patch add
  testcases to the log parsing library to confirm that they handle the
  corresponding apparmor event messages) and adds four tests to an if-
  clause. See http://bazaar.launchpad.net/~apparmor-
  dev/apparmor/release-2.5/revision/1432 for upstream commit.


  (1) Add the attached empty test profile for /does/not/exist (named does.not.exist) to /etc/apparmor.d
  (2) Reload apparmor policy via "sudo /etc/init.d/apparmor reload"
  (3) Copy the test logfile to /tmp
  (4) Run logprof on the test logfile; e.g. "sudo logprof -f /tmp/testlog"

  In the unfixed version, logprof will not prompt the user for any
  rejections (it may ask about using the repository, answer disable or
  later). In the fixed version, logprof should ask about three different


  (select allow each time)

  5. Regression potential is low, as the patch adds additional cases to
  the apparmor perl library; it can only affect the tools used to adjust
  apparmor profiles.

  Binary package hint: apparmor

  While developing a test profile(s) for sshd on lucid using
  logprof/genprof, the following rejections in dmesg were never
  processed by the tools:

    [  878.662172] type=1503 audit(1282626827.320:411):  operation="truncate" pid=1957 parent=1 profile="/etc/update-motd.d/91-release-upgrade" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/update-notifier/release-upgrade-available"
    [  878.663410] type=1502 audit(1282626827.320:412):  operation="rename_src" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/run/motd.new"
    [  878.663418] type=1502 audit(1282626827.320:413):  operation="rename_dest" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="wc::" denied_mask="wc::" fsuid=0 ouid=0 name="/var/run/motd"

  I first looked at the log parsing library under the assumption that it
  didn't understand these operations. After adding testcases for each
  message, I confirmed that it does indeed understand them and parses
  them properly. Looking at SubDomain.pm, however, it does not know
  about these additional operation types.

More information about the AppArmor mailing list