apparmor_parser does not handle quoted files with braces in their name

Bug #1949381 reported by Ian Johnson
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

AppArmor does not successfully compile a profile with a rule like this:

```
profile foo (attach_disconnected) {

"/foobar/some-path-with-braces-}{" rw,

}
```

It complains thusly:

$ sudo apparmor_parser -r foo.bin
apparmor_parser: Regex grouping error: Invalid number of items between {}
apparmor_parser: Regex grouping error: Invalid close }, no matching open { detected
apparmor_parser: Unable to parse input line '/foobar/some-path-with-braces-}{'
ERROR processing regexs for profile foo, failed to load

It was my understanding that since the braces are inside a quoted path, that the braces would effectively be ignored.

I'm not sure if this specific problem can be abused into an active vulnerability, so I'm filing this as a private bug until it can be analyzed to explain that it is not able / likely to be abused.

FYI, this came about as investigation into https://bugs.launchpad.net/bugs/1949368, which currently is also a private security bug.

Revision history for this message
John Johansen (jjohansen) wrote :

Quoting in apparmor does not disable globbing, nor variable expansion. It only allows for certain characters to be included in a name like whitespace.

To deal with regex characters you need to escape them if a literal match is needed

```
   "/foobar/some-path-with-braces-\}\{" rw,
```

information type: Private Security → Public
Revision history for this message
Ian Johnson (anonymouse67) wrote :

@jjohansen, so to match a literal file with -}{, should it be both escaped and quoted ? or is it sufficient to just escape? If we were aiming for maximum safety in only allowing a very specific file pattern literally, should we just escape or should we also add quotes too?

Revision history for this message
John Johansen (jjohansen) wrote :

Escaping the literals is sufficient. You can certainly add quotes to not have to worry about ws.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.