[apparmor] [PATCH 1/3] Fix change_onexec for profiles without attachment specification

Steve Beattie steve at nxnw.org
Wed Apr 11 22:28:33 UTC 2012 

On Wed, Apr 11, 2012 at 01:53:40PM -0700, John Johansen wrote:
> This fix is needed for the userspace portion of both
> BugLink: http://bugs.launchpad.net/bugs/963756
> BugLink: http://bugs.launchpad.net/bugs/978038
> 
> change_onexec fails for profiles that don't have an attachment specification
>   eg. unconfined
> 
> This is because change_onexec goes through 2 permission checks.  The first
> at the api call point, which is a straight match of the profile name
> 
>   eg.
>     /bin/foo
>     unconfined
> 
> and a second test at exec time, tying the profile to change to to the
> exec.  This allows restricting the transition to specific execs.  This
> is mapped as a two entry check
> 
>   /executable/name\x00profile_name
> 
> where the executable name must be marked with the change_onexec permission
> and the subsequent profile name as well.
> 
> The previous "fix" only covered adding onexec to executable names and
> also works for the initial change_onexec request when the profile is
> an executable.
> 
> However it does not fix the case for when the profile being transitioned
> to is not an executable.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

I think this is okay. Acked-By: Steve Beattie <sbeattie at ubuntu.com>

> ---
>  parser/parser_regex.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> index c774372..0ba8114 100644
> --- a/parser/parser_regex.c
> +++ b/parser/parser_regex.c
> @@ -525,7 +525,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
>  		vec[index++] = tbuf;
>  
>  		/* regular change_profile rule */
> -		if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, index - 1, &vec[1], dfaflags))
> +		if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
>  			return FALSE;
>  		/* onexec rules - both rules are needed for onexec */
>  		if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, 1, vec, dfaflags))
> -- 
> 1.7.9.1
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120411/25aa38b7/attachment.pgp>

More information about the AppArmor mailing list