aa-logprof: doesn't parse new null profile syntax

Bug #446524 reported by Marc Deslauriers
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
John Johansen
Karmic
Fix Released
High
John Johansen

Bug Description

Binary package hint: apparmor

New AppArmor kernel space changed the log format of "null" profiles, replacing the "null-profile/null-complain-profile" previously used. aa-logprof doesn't understand the new format and parses it as a hat.

example:
type=APPARMOR_ALLOWED msg=audit(1255021936.088:5824): operation="open" pid=26965 parent=26954 profile="/usr/bin/kopete//null-20" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/etc/group"

Kees Cook (kees)
Changed in apparmor (Ubuntu Karmic):
status: New → Confirmed
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → Low
milestone: none → ubuntu-9.10
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking as In Progress based on Marc's patch.

Changed in apparmor (Ubuntu Karmic):
status: Confirmed → In Progress
Changed in apparmor (Ubuntu Karmic):
importance: Low → High
tags: added: regression-potential
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

A feature is still missing from the preliminary patch. When aa-genprof reloads the profile after prompting the user for changes, the kernel does not replace the profile on active "null" processes. In order for active processes to get their profile replaced, the profile name must be the "null" name.

There doesn't seem to be a good way to fix this for the moment.

aa-genprof could write the profile to disk with the "null" names until the user tells it to "finish", at which point it could re-write the profile with the actual binary names. This would solve the problem of someone running aa-genprof without stopping the application between runs. On the other hand, if the application is one that executes and stops, subsequent runs would not pick up the modified profile as it wouldn't match the "null" name that would be in the file.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu27

---------------
apparmor (2.3.1+1403-0ubuntu27) karmic; urgency=low

  * utils/SubDomain.pm: handle new format "null" log entries (LP: #446524)

 -- Marc Deslauriers <email address hidden> Fri, 16 Oct 2009 14:40:04 -0400

Changed in apparmor (Ubuntu Karmic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.