[apparmor] [Bug 1021967] [NEW] genprof doesn't escape special characters

Christian Boltz 1021967 at bugs.launchpad.net
Fri Jul 6 23:16:09 UTC 2012 

Public bug reported:

(copy&paste from my mail on the apparmor ML)

Just curious - how would that profile name look as filename for 
/etc/apparmor.d/ ? Hmm, let's try...

# aa-genprof '/**'
/** does not exist, please double-check the path.

OK, I'm feeling adventurous ;-)

# touch '/**'
# aa-genprof '/**'

The result was the file /etc/apparmor.d/** with 
/** flags=() { ... }

In other words: genprof doesn't seem to replace any special character. 
Maybe it better should :-/

It should probably also do some escaping in the profile name. My example 
was a bit ;-) extreme, but imagine someone is crazy enough to have a 
binary called '/bin/b*' and wants to create a profile for it (which is 
basically a good idea with such a filename ;-)

The result will be a profile for '/bin/b*' which includes things like 
/bin/bash... Do I need to say more? ;-)

(needless to say that I practised unloading the /** profile via the 
/sys/kernel/security/apparmor/.remove interface afterwards because it 
was the only working option ;-)

** Affects: apparmor
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/1021967

Title:
  genprof doesn't escape special characters

Status in AppArmor Linux application security framework:
  New

Bug description:
  (copy&paste from my mail on the apparmor ML)

  Just curious - how would that profile name look as filename for 
  /etc/apparmor.d/ ? Hmm, let's try...

  # aa-genprof '/**'
  /** does not exist, please double-check the path.

  OK, I'm feeling adventurous ;-)

  # touch '/**'
  # aa-genprof '/**'

  The result was the file /etc/apparmor.d/** with 
  /** flags=() { ... }

  In other words: genprof doesn't seem to replace any special character. 
  Maybe it better should :-/

  It should probably also do some escaping in the profile name. My example 
  was a bit ;-) extreme, but imagine someone is crazy enough to have a 
  binary called '/bin/b*' and wants to create a profile for it (which is 
  basically a good idea with such a filename ;-)

  The result will be a profile for '/bin/b*' which includes things like 
  /bin/bash... Do I need to say more? ;-)

  (needless to say that I practised unloading the /** profile via the 
  /sys/kernel/security/apparmor/.remove interface afterwards because it 
  was the only working option ;-)

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1021967/+subscriptions

More information about the AppArmor mailing list