[apparmor] [PATCH 1/3] Fix change_onexec for profiles without attachment specification

John Johansen john.johansen at canonical.com
Wed Apr 11 22:46:53 UTC 2012 

On 04/11/2012 03:28 PM, Steve Beattie wrote:
> On Wed, Apr 11, 2012 at 01:53:40PM -0700, John Johansen wrote:
>> This fix is needed for the userspace portion of both
>> BugLink: http://bugs.launchpad.net/bugs/963756
>> BugLink: http://bugs.launchpad.net/bugs/978038
>>
>> change_onexec fails for profiles that don't have an attachment specification
>>   eg. unconfined
>>
>> This is because change_onexec goes through 2 permission checks.  The first
>> at the api call point, which is a straight match of the profile name
>>
>>   eg.
>>     /bin/foo
>>     unconfined
>>
>> and a second test at exec time, tying the profile to change to to the
>> exec.  This allows restricting the transition to specific execs.  This
>> is mapped as a two entry check
>>
>>   /executable/name\x00profile_name
>>
>> where the executable name must be marked with the change_onexec permission
>> and the subsequent profile name as well.
>>
>> The previous "fix" only covered adding onexec to executable names and
>> also works for the initial change_onexec request when the profile is
>> an executable.
>>
>> However it does not fix the case for when the profile being transitioned
>> to is not an executable.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
> 
> I think this is okay. Acked-By: Steve Beattie <sbeattie at ubuntu.com>
> 
I forgot to mention/include the regression tests, though they require a couple
of kernel patches as well :/

>> ---
>>  parser/parser_regex.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
>> index c774372..0ba8114 100644
>> --- a/parser/parser_regex.c
>> +++ b/parser/parser_regex.c
>> @@ -525,7 +525,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
>>  		vec[index++] = tbuf;
>>  
>>  		/* regular change_profile rule */
>> -		if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, index - 1, &vec[1], dfaflags))
>> +		if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
>>  			return FALSE;
>>  		/* onexec rules - both rules are needed for onexec */
>>  		if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, 1, vec, dfaflags))
>> -- 
>> 1.7.9.1
>>
>>
>> -- 
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
> 
>

More information about the AppArmor mailing list