[apparmor] debugging aa_change_profile

Steve Beattie steve at nxnw.org
Fri Apr 27 07:03:20 UTC 2012

Hi Jeroen,

On Thu, Apr 26, 2012 at 04:20:54PM -0700, Jeroen Ooms wrote:
> Thank you. I was planning on switching to 12.04 as soon as it is
> released, so hopefully that will fix my problem.
> One final issue: I managed to switch into a profile using
> aa_change_profile, and into a hat (subprofile) using aa_change_hat.
> However, whenever I try to return out of the subprofile, my process is
> killed.
> I suspect the following: does the magic token just need to be the same
> value, or does it actually have to point to exactly the same object?
> The latter is very hard to do in R, because it makes copies of objects
> before passing them to C.
> I put a copy of the updated package and some testing code here:
> https://github.com/jeroenooms/rApparmor/tree/master/test

As John said, aa_change_hat() merely requires the same value to
be passed in, not a pointer to the same memory location. Looking
at the git tree, you're once again hitting a type mis-match:
aa_change_hat_wrapper() and aa_revert_hat_wrapper() take a pointer
to an unsigned long (unsigned long*) as argument but then pass that
_pointer_ when calling aa_change_hat(). This type error is covered up by
casting the magic_token pointer to a long in the aa_change_hat() call;
without the cast, gcc tells you about the mismatch:

  gcc -std=gnu99 -I/usr/share/R/include      -fpic  -O3 -pipe  -g -c aa_change_hat_wrapper.c -o aa_change_hat_wrapper.o
  aa_change_hat_wrapper.c: In function ‘aa_change_hat_wrapper’:
  aa_change_hat_wrapper.c:10:3: warning: passing argument 2 of ‘aa_change_hat’ makes integer from pointer without a cast [enabled by default]
  /usr/include/sys/apparmor.h:36:12: note: expected ‘long unsigned int’ but argument is of type ‘long unsigned int *’

Here's a patch that fixes this up:

diff --git a/src/aa_change_hat_wrapper.c b/src/aa_change_hat_wrapper.c
index ef5c701..0040d3b 100644
--- a/src/aa_change_hat_wrapper.c
+++ b/src/aa_change_hat_wrapper.c
@@ -7,7 +7,7 @@
 void aa_change_hat_wrapper (int *ret, char **subprofile, unsigned long* magic_token) {
   printf("Setting Apparmor Hat...\n");  
-  *ret = aa_change_hat (*subprofile,  (long) magic_token);
+  *ret = aa_change_hat (*subprofile,  *magic_token);
   if(ret != 0){
     *ret = errno;
diff --git a/src/aa_revert_hat_wrapper.c b/src/aa_revert_hat_wrapper.c
index 5cf0e59..367982b 100644
--- a/src/aa_revert_hat_wrapper.c
+++ b/src/aa_revert_hat_wrapper.c
@@ -7,8 +7,8 @@
 void aa_revert_hat_wrapper (int *ret, unsigned long* magic_token) {
   printf("Trying to revert AppArmor Hat...\n");
-  char *nothing;    
-  *ret = aa_change_hat (nothing,  (long) magic_token);  
+  char *nothing;
+  *ret = aa_change_hat (nothing, *magic_token);
   if(ret != 0){
     *ret = errno;

With that patch applied I was able to change into and out of hats
successfully from R.

For your test profile, I added the following audit qualifiers so that I
knew when things were getting rejected:

diff --git a/test/myprofile b/test/myprofile
index 80a7d02..5aaff89 100644
--- a/test/myprofile
+++ b/test/myprofile
@@ -14,7 +14,7 @@ profile myprofile {
 	/ rw,
 	/** mrwlkix,
-	deny /etc/passwd rwx,
+	audit deny /etc/passwd rwx,
 	^myhat {
@@ -30,7 +30,7 @@ profile myprofile {
 		/ rw,
 		/** mrwlkix,
-		deny /etc/passwd rwx,
-		deny /etc/group rwx,		
+		audit deny /etc/passwd rwx,
+		audit deny /etc/group rwx,		
\ No newline at end of file

(Not having any clue what I'm doing with R, I never could figure out
how to make test.R run without stopping on the first permission denial;
but it worked to manually copy+waste the commands from it. Cluesticks

Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120427/79ab9a44/attachment.pgp>

More information about the AppArmor mailing list