SubDomain.pm does not know about truncate, rename_src, and rename_dest operations
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
High
|
Unassigned | ||
apparmor (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Lucid |
Fix Released
|
High
|
Unassigned |
Bug Description
SRU
1. Impact: affects ability of users/administr
2. Fixed in natty
3. Patch to SubDomain.pm is small (other portions of the patch add testcases to the log parsing library to confirm that they handle the corresponding apparmor event messages) and adds four tests to an if-clause. See http://
4. TEST CASE
(1) Add the attached empty test profile for /does/not/exist (named does.not.exist) to /etc/apparmor.d
(2) Reload apparmor policy via "sudo /etc/init.
(3) Copy the test logfile to /tmp
(4) Run logprof on the test logfile; e.g. "sudo logprof -f /tmp/testlog"
In the unfixed version, logprof will not prompt the user for any rejections (it may ask about using the repository, answer disable or later). In the fixed version, logprof should ask about three different rejections:
/var/
/var/run/motd
/var/run/motd.new
(select allow each time)
5. Regression potential is low, as the patch adds additional cases to the apparmor perl library; it can only affect the tools used to adjust apparmor profiles.
Binary package hint: apparmor
While developing a test profile(s) for sshd on lucid using logprof/genprof, the following rejections in dmesg were never processed by the tools:
[ 878.662172] type=1503 audit(128262682
[ 878.663410] type=1502 audit(128262682
[ 878.663418] type=1502 audit(128262682
I first looked at the log parsing library under the assumption that it didn't understand these operations. After adding testcases for each message, I confirmed that it does indeed understand them and parses them properly. Looking at SubDomain.pm, however, it does not know about these additional operation types.
Related branches
Changed in apparmor: | |
status: | New → Triaged |
Changed in apparmor (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in apparmor: | |
importance: | Undecided → High |
Changed in apparmor (Ubuntu Lucid): | |
importance: | Undecided → High |
milestone: | none → lucid-updates |
status: | New → In Progress |
tags: |
added: verification-done removed: verification-needed |
Changed in apparmor: | |
assignee: | nobody → Leif Atle Vold (lvold7355) |
Changed in apparmor (Ubuntu): | |
assignee: | nobody → Leif Atle Vold (lvold7355) |
Changed in apparmor: | |
status: | Triaged → Incomplete |
Changed in apparmor (Ubuntu): | |
assignee: | Leif Atle Vold (lvold7355) → nobody |
Changed in apparmor: | |
assignee: | Leif Atle Vold (lvold7355) → nobody |
status: | Incomplete → Fix Released |
tags: | added: testcase |
It also appears that the operations mkdir, link, and unlink are not covered by SubDomain.pm.