[apparmor] [Bug 623467] Re: SubDomain.pm does not know about truncate, rename_src, and rename_dest operations

Ubuntu QA's Bug Bot bug-stats at murraytwins.com
Mon Sep 19 21:27:19 UTC 2011 

** Tags added: testcase

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/623467

Title:
  SubDomain.pm does not know about truncate, rename_src, and rename_dest
  operations

Status in AppArmor Linux application security framework:
  Fix Released
Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor” source package in Lucid:
  Fix Released

Bug description:
  SRU

  1. Impact: affects ability of users/administrators trying to create or
  adjust their apparmor policies.

  2. Fixed in natty

  3. Patch to SubDomain.pm is small (other portions of the patch add
  testcases to the log parsing library to confirm that they handle the
  corresponding apparmor event messages) and adds four tests to an if-
  clause. See http://bazaar.launchpad.net/~apparmor-
  dev/apparmor/release-2.5/revision/1432 for upstream commit.

  4. TEST CASE

  (1) Add the attached empty test profile for /does/not/exist (named does.not.exist) to /etc/apparmor.d
  (2) Reload apparmor policy via "sudo /etc/init.d/apparmor reload"
  (3) Copy the test logfile to /tmp
  (4) Run logprof on the test logfile; e.g. "sudo logprof -f /tmp/testlog"

  In the unfixed version, logprof will not prompt the user for any
  rejections (it may ask about using the repository, answer disable or
  later). In the fixed version, logprof should ask about three different
  rejections:

    /var/lib/update-notifier/release-upgrade-available
    /var/run/motd
    /var/run/motd.new

  (select allow each time)

  5. Regression potential is low, as the patch adds additional cases to
  the apparmor perl library; it can only affect the tools used to adjust
  apparmor profiles.

  Binary package hint: apparmor

  While developing a test profile(s) for sshd on lucid using
  logprof/genprof, the following rejections in dmesg were never
  processed by the tools:

    [  878.662172] type=1503 audit(1282626827.320:411):  operation="truncate" pid=1957 parent=1 profile="/etc/update-motd.d/91-release-upgrade" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/update-notifier/release-upgrade-available"
    [  878.663410] type=1502 audit(1282626827.320:412):  operation="rename_src" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/run/motd.new"
    [  878.663418] type=1502 audit(1282626827.320:413):  operation="rename_dest" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="wc::" denied_mask="wc::" fsuid=0 ouid=0 name="/var/run/motd"

  I first looked at the log parsing library under the assumption that it
  didn't understand these operations. After adding testcases for each
  message, I confirmed that it does indeed understand them and parses
  them properly. Looking at SubDomain.pm, however, it does not know
  about these additional operation types.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/623467/+subscriptions

More information about the AppArmor mailing list