Ubuntu
linux package

apparmor aa_change_onexec doesn't work

Bug #692821 reported by Seth Arnold
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Won't Fix
Medium
John Johansen
Ubuntu lucid-updates
Maverick
Fix Released
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned

Bug Description

libapparmor provides an aa_change_onexec(3) function which writes into /proc/self/attr/exec file, which is managed by a loaded security module. aa_change_onexec(3) requires the AppArmor module be loaded. (Source for this routine is in package libapparmor, src/change_hat.c.)

The provided program and profile will demonstrate the problem.

Save the profile into /etc/apparmor.d/test_onexec

Load the profile with: sudo apparmor_parser --replace /etc/apparmor.d/test_onexec

Compile the program with: gcc -o aa-change aa-change.c -lapparmor

Run the program as follows:

$ ./aa-change profile test_onexec 'head -1 /etc/passwd ; cat /proc/self/attr/current'
Currently running in domain 'test_onexec (enforce)'
sh: head: Permission denied
test_onexec (enforce)
$ ./aa-change exec test_onexec 'head -1 /etc/passwd ; cat /proc/self/attr/current'
Will transition to 'test_onexec (enforce)' domain on exec()
root:x:0:0:root:/root:/bin/bash
unconfined

'profile' uses aa_change_profile(3) to immediate change into the test_onexec profile. 'head' cannot execute, and 'cat' is confined with the test_onexec profile.

'exec' uses aa_change_onexec(3) to change into the test_onexec profile at the next exec(2) call. 'head' runs (it should fail) and reads /etc/passwd (which should also fail). The 'cat' process is unconfined. Thus the aa_change_onexec(3) has failed. Output should be very similar to 'profile' case.

$ uname -a
Linux haig 2.6.32-26-generic #47-Ubuntu SMP Wed Nov 17 15:58:05 UTC 2010 x86_64 GNU/Linux
$ cat /proc/version_signature
Ubuntu 2.6.32-26.47-generic 2.6.32.24+drm33.11
$

dmesg will include lines like the following:
type=1505 audit(1292894196.363:299): operation="profile_load" pid=5543 name="test_onexec"
type=1503 audit(1292894419.381:301): operation="exec" pid=5592 parent=5590 profile="test_onexec" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/head"

While watching dmesg output you can confirm that the 'exec' mode of the test program doesn't reject execution of /usr/bin/head, while the 'profile' mode of the test program does reject execution of /usr/bin/head.

Feel free to close WONTFIX if fixing this is beyond the scope of LTS. (I want to save others time in the future when this issue is discovered by someone else.)

Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Okay, I finally got a 10.10 virtual image installed and can confirm that this bug has been fixed in 10.10.

Jamie Strandboge (jdstrand)
Changed in linux (Ubuntu Maverick):
status: New → Fix Released
Changed in linux (Ubuntu Lucid):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → Medium
milestone: none → lucid-updates
status: New → Triaged
Changed in linux (Ubuntu Natty):
status: New → Invalid
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in linux (Ubuntu Lucid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.