[apparmor] AA-logprof error

Christian Boltz apparmor at cboltz.de
Wed Oct 30 21:18:33 UTC 2019 

Hello,

Am Mittwoch, 30. Oktober 2019, 08:08:45 CET schrieb Jacek:
> Log from command aa-logprof -f /var/log/apparmor.log:
> https://pastebin.com/raw/1887Semy

Thanks, that helped :-)


Reproducer:

a) have the following profile:

profile chrome-sandbox {
  ptrace read peer=/opt/google/\*/chrome,
}

b) run

aa-logprof -f <(echo '[  116.472008] audit: type=1400 audit(1572414763.823:331): apparmor="DENIED" operation="ptrace" profile="chrome-sandbox" pid=9310 comm="chrome-sandbox" requested_mask="read" denied_mask="read" peer="chrome"') -d ../profiles/apparmor.d/

(the -d part is only needed for my test setup)


Note the \* part in the profile - this looks wrong because I don't 
believe there's a directory named * under /opt/google/ ;-)  My guess 
is that the rule was meant as /opt/google/<whatever>/chrome.

Workaround: adjust/fix the rule to
  ptrace read peer=/opt/google/*/chrome,
(= remove the backslash)

Now the interesting question is how you got that strange (and most
probably wrong) rule.
- If you created the profile yourself, did you use the aa-* tools or an
  editor?
- If the profile is shipped by a package, please open a bugreport and
  ask to get the backslash removed.

Please also check the whole profile - if there are multiple rules with a
"wrong" backslash, only removing one won't help too much ;-)


Now that I have a reproducer, I'll look into fixing the crash.
Unfortunately the code that converts rules to regexes is interesting[tm], 
which means it might take some time until I can come up with a patch.
As far as I already know / found out, * gets replaced by
(((?<=/)[^/\x00]+)|((?<!/)[^/\x00]*))   (which hopefully means "one or 
more chars, but no /"). Now I'll "only" need to find a sane way to handle 
\* in a(n even more) special way...


Regards,

Christian Boltz
-- 
> Be aware that a s390x / and most ppc64 are not a smart phones
> nor net books.
They just don't fit into the pocket. :)
[> Dr. Werner Fink and Kay Sievers in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20191030/b36ff6aa/attachment.sig>

More information about the AppArmor mailing list