Ubuntu
linux package

[karmic] aa_change_profile() no longer works

Bug #401931 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
John Johansen
Ubuntu karmic-alpha-5

Bug Description

Per John Johansen, the kernel interface changed for aa_change_profile(). The following code and profile fail with 'Invalid argument'.

Code:
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <time.h>
#include <limits.h>
#include <stdarg.h>
#include <sys/apparmor.h>

int main(int argc, char *argv[]) {
    char *profile_name = "/usr/sbin/tcpdump";
    if (aa_change_profile(profile_name) != 0) {
        perror("could not change profile");
        exit(1);
    }
}

Profile:
#include <tunables/global>

/home/jamie/tmp/a.out {
  #include <abstractions/base>
  /** rwmkl,

  change_profile -> /usr/sbin/tcpdump,
}

Marking as regression potential as anything using aa_change_profile() will break. Nothing packaged in Ubuntu is using this AFAIK, however it will break custom code and blocks https://wiki.ubuntu.com/SecurityTeam/Specifications/AppArmorLibvirtProfile.

ProblemType: Bug
Architecture: amd64
Date: Mon Jul 20 15:53:09 2009
DistroRelease: Ubuntu 9.10
HibernationDevice: RESUME=UUID=f17af5ae-d165-4d03-9443-5fea4eeb5d6c
Package: linux-image-2.6.31-3-generic 2.6.31-3.19
ProcCmdLine: root=UUID=027f6784-68b4-4dad-8387-c5319fedda74 ro quiet splash security=apparmor
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-3.19-generic
RelatedPackageVersions: linux-backports-modules-2.6.31-3-generic N/A
SourcePackage: linux
Uname: Linux 2.6.31-3-generic x86_64
dmi.bios.date: 08/04/2006
dmi.bios.vendor: Intel Corp.
dmi.bios.version: CO96510J.86A.4462.2006.0804.2059
dmi.board.asset.tag: Base Board Asset Tag
dmi.board.name: DQ965GF
dmi.board.vendor: Intel Corporation
dmi.board.version: AAD41676-400
dmi.chassis.type: 2
dmi.modalias: dmi:bvnIntelCorp.:bvrCO96510J.86A.4462.2006.0804.2059:bd08/04/2006:svn:pn:pvr:rvnIntelCorporation:rnDQ965GF:rvrAAD41676-400:cvn:ct2:cvr:

Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → Medium
milestone: none → karmic-alpha-4
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is still a problem with up to date karmic, however the error message is different. Using the above test case I get:

$ sudo ./a.out
could not change profile: Permission denied

$ cat /proc/version_signature
Ubuntu 2.6.31-5.24-generic

apparmor: 2.3.1+1403-0ubuntu9

Changed in linux (Ubuntu):
milestone: karmic-alpha-4 → karmic-alpha-5
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I just noticed that if the parent profile is in complain mode and the child profile is in enforce mode, it doesn't error out with permission denied, but also does honor the enforcing profiles rules.

Eg:
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <time.h>
#include <limits.h>
#include <stdarg.h>
#include <sys/apparmor.h>

int main(int argc, char *argv[]) {
    char *profile_name = "foo";
    int fd;

    if (aa_change_profile(profile_name) != 0) {
        perror("could not change profile");
        exit(1);
    }

    if ((fd = open("/tmp/foo", O_CREAT|O_TRUNC, 0644)) == -1) {
        printf("confined\n");
        exit(0);
    }
    printf("unconfined\n");
    close(fd);

    exit(1);
}

$ cd /tmp
$ gcc -lapparmor ./foo.c

$ cat /etc/apparmor.d/tmp.a.out
#include <tunables/global>

/tmp/a.out flags=(complain) {
  #include <abstractions/base>
  /** rwmkl,

  change_profile -> foo,
}

profile foo {
  /** rwmkl,
  audit deny /tmp/foo rw,
}

$ ./a.out
unconfined
[1]
$ ls -l /tmp/foo
-rw-r--r-- 1 jamie jamie 0 2009-08-05 16:56 /tmp/foo

Using the following profile:
$ cat /etc/apparmor.d/tmp.a.out
#include <tunables/global>

/tmp/a.out {
  #include <abstractions/base>
  /** rwmkl,

  change_profile -> foo,
}

profile foo {
  /** rwmkl,
  audit deny /tmp/foo rw,
}

$ /tmp/a.out
could not change profile: Permission denied
[1]

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

John,

Tested the kernel package you gave me today on chinstrap, and aa_change_profile() is working perfectly. Thanks!

Changed in linux (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

John,

Tested the updated kernel packages today (linux-image-2.6.31-9-generic_2.6.31-9.29_*.deb on chinstrap) and aa_change_profile() is again, working perfectly. Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.31-10.30

---------------
linux (2.6.31-10.30) karmic; urgency=low

  [ Amit Kucheria ]

  * [Config] Enable CONFIG_USB_DEVICEFS
    - LP: #417748
  * [Config] Populate the config-update template a bit more

  [ Andy Whitcroft ]

  * rebase to v2.6.31-rc9
  * [Config] update configs following rebase to v2.6.31-rc9
  * [Config] update ports configs following rebase to v2.6.31-rc9

  [ Colin Ian King ]

  * SAUCE: wireless: hostap, fix oops due to early probing interrupt
    - LP: #254837

  [ Jerone Young ]

  * [Upstream] ACPI: Add Thinkpad T400 & Thinkpad T500 to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad X200, X200s, X200t to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad X300 & Thinkpad X301 to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad R400 & Thinkpad R500 to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad W500, W700, & W700ds to OSI(Linux)
    white-list
    - LP: #281732

  [ John Johansen ]

  * SAUCE: AppArmor: Fix profile attachment for regexp based profile names
    - LP: #419308
  * SAUCE: AppArmor: Return the correct error codes on profile
    addition/removal
    - LP: #408473
  * SAUCE: AppArmor: Fix OOPS in profile listing, and display full list
    - LP: #408454
  * SAUCE: AppArmor: Fix mapping of pux to new internal permission format
    - LP: #419222
  * SAUCE: AppArmor: Fix change_profile failure
    - LP: #401931
  * SAUCE: AppArmor: Tell git to ignore generated include files
    - LP: #419505

  [ Stefan Bader ]

  * [Upstream] acpi: video: Loosen strictness of video bus detection code
    - LP: #333386
  * SAUCE: Remove ov511 driver from ubuntu subdirectory

  [ Tim Gardner ]

  * [Config] Exclude char-modules from non-x86 udeb creation
  * SAUCE: Notify the ACPI call chain of AC events
  * [Config] CONFIG_SATA_VIA=m
    - LP: #403385
  * [Config] Build in all phylib support modules.
  * [Config] Don't fail when sub-flavour files are missing
    - LP: #423426
  * [Config] Set CONFIG_LSM_MMAP_MIN_ADDR=0
    - LP: #423513

  [ Upstream ]

  * Rebased against v2.6.31-rc9

 -- Andy Whitcroft <email address hidden> Mon, 07 Sep 2009 11:33:45 +0100

Changed in linux (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.