[apparmor] alias rules broken for /{,var/}run/

John Johansen john.johansen at canonical.com
Tue Nov 1 04:32:50 UTC 2011 

On 10/31/2011 06:11 PM, Christian Boltz wrote:
> Hello,
> 
> lots of profiles contain rules for /{,var/}run/ nowadays.
> 
> Unfortunately that breaks if /var is a symlink (to /home/sys-var in my 
> case) even if a correct alias rule is setup.
> 

Sigh, yes its do to how aliases are currently handled.  Currently they are
done in the front end before the expr parsing and DFA magic which means,
they can't cope with the 
  /{,var/} part of the rule.

It is something I have been working towards fixing, but I am not quite
there yet.  We could possibly add a simplified, replacement in the
expr tree now.  Which could handle your case but wouldn't correctly
deal with

  /va*

or other such expressions.  I wish I could give you a better answer on
this.  I could elaborate on the 2 potential solutions I have been
evaluating but I don't have an eta on the fix.


> I'll paste the details from #apparmor:
> 
> [22:00] <cboltz> I get unexpected DENIED events in combination with aliases:
> [22:00] <cboltz> apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/avahi-daemon" name="/home/sys-var/run/avahi-daemon/" pid=14842 comm="avahi-daemon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
> [22:00] <cboltz> but I have in tunables/alias
> [22:01] <cboltz> alias /var/ -> /home/sys-var/,
> [22:01] <cboltz> and the profile for avahi-daemon allows write access to /var/run/avahi-daemon/ (original profile as in bzr)
> [22:01] <cboltz> is this a known or a new bug? ;-)
> [22:52] <sbeattie> cboltz: sorry, jjohansen and I are at the Ubuntu Developer Summit this week, so we're bouncing on and off irc.
> [22:53] <sbeattie> cboltz: not a known bug to me
> [22:54] <cboltz> then it must be a new one ;-)
> [22:56] <cboltz> I just found what causes it ;-)
> [22:57] <sbeattie> cboltz: oh?
> [22:57] <cboltz>  /{,var/}run/avahi-daemon/ w,   fails the alias replacement
> [22:57] <cboltz>  /var/run/avahi-daemon/ w,   works
> [23:00] <sbeattie> doh
> [23:01] <sbeattie> that's a result of aliases being more like a pre-processing step than a real semantic change.
> [23:02] <cboltz> looks like it should be a real semantic change *g*
> [23:03] <sbeattie> Feel free to raise the issue on the list or file a bug, though I'm not sure that it'd be an easy thing to address.
> [23:03] <cboltz> I'll send a mail
> [23:04] <sbeattie> cool, thanks!
> [23:04] <cboltz> just tell John that I found a bug again, and then enjoy the developer summit ;-)
> [23:04] <sbeattie> hehe
> [23:06] * sbeattie vanishes again
> 
> 
> 
> Regards,
> 
> Christian Boltz

More information about the AppArmor mailing list