Python utils lack support for pivot_root rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Medium
|
Tyler Hicks | ||
apparmor (Ubuntu) |
Fix Released
|
Medium
|
Tyler Hicks |
Bug Description
aa.py doesn't support pivot_root rules and emits a traceback when encountering them:
$ mkdir /tmp/profs
$ printf "profile pr {\n pivot_root /other,\n }" > /tmp/profs/pr
$ sudo aa-enforce -d /tmp/profs /tmp/profs/pr
Traceback (most recent call last):
File "/usr/sbin/
tool.
File "/usr/lib/
apparmor.
File "/usr/lib/
read_
File "/usr/lib/
profile_data = parse_profile_
File "/usr/lib/
raise AppArmorExcepti
apparmor.
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/lib/
pr.
File "/usr/lib/
ret = self.get_
File "/usr/lib/
if len(my_cgroup) < 2:
UnboundLocalError: local variable 'my_cgroup' referenced before assignment
Original exception was:
Traceback (most recent call last):
File "/usr/sbin/
tool.
File "/usr/lib/
apparmor.
File "/usr/lib/
read_
File "/usr/lib/
profile_data = parse_profile_
File "/usr/lib/
raise AppArmorExcepti
apparmor.
Related branches
Changed in apparmor (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in apparmor: | |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in apparmor (Ubuntu): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in apparmor: | |
status: | Triaged → In Progress |
Changed in apparmor: | |
milestone: | none → 2.9.0 |
This bug was fixed in the package apparmor - 2.8.95~ 2430-0ubuntu5
--------------- 2430-0ubuntu5) trusty; urgency=medium
apparmor (2.8.95~
* debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin, easyprof- ubuntu
lightdm and apparmor-
apparmor (2.8.95~ 2430-0ubuntu4) trusty; urgency=medium
[ John Johansen, Steve Beattie ] patches/ mediate- signals. patch, patches/ change- signal- syntax. patch: Parse signal rules with parser. See the apparmor.d(5) man page for syntax details. patches/ change- ptrace- syntax. patch, patches/ mediate- ptrace. patch: Parse ptrace rules with parser. See the apparmor.d(5) man page for syntax details. patches/ test-signal- rules.patch, patches/ test-ptrace- rules.patch, patches/ update- tests-for- new-semantics. patch: Update existing patches/ fix-garbage- in-preprocessor -output. patch: Fix bug causing parser preprocessor output to contain garbage after include patches/ fix-double- comma-in- preprocessor- output. patch: Fix bug patches/ symtab- tests-and- seenlist- bug.patch, patches/ add-profile- name-variable. patch: Add ${profile_name} patches/ fix-names- treated- as-condlistid. patch: Fix parser bug that caused mount and dbus rules to fail for sets of
* Add userspace support for AppArmor signals and ptrace mediation
(LP: #1298611)
+ debian/
debian/
apparmor_
+ debian/
debian/
apparmor_
+ debian/
debian/
debian/
tests and add new tests for signal and ptrace mediation
+ debian/
apparmor_
statements
+ debian/
causing apparmor_parser preprocessor output to contain double commas
after some rules
+ debian/
debian/
variable for use in profiles when rules need to specify the current
profile's name. This is useful for signal and ptrace rules that specify
+ debian/
apparmor_
values
[ Jamie Strandboge ] patches/ update- base-abstractio n-for-signals- and-ptrace. patch: patches/ manpage- signal- ptrace. patch: Update the apparmor.d man patches/ dnsmasq- libvirtd- signal- ptrace. patch: Update the dnsmasq patches/ update- chromium- browser. patch: Adjust the chromium-browser
* debian/
Adjust the base abstraction for signals and ptrace mediation. Profiles
that use the base abstraction can deny any of the granted permissions to
achieve tighter confinement.
* debian/
page to document signal rules, ptrace rules, and variables for use in
AppArmor profiles
* debian/
profile to allow libvirtd to send signals to and ptrace read the dnsmasq
process
* debian/
profile for permissions needed in newer chromium-browser versions and add
the rules needed for AppArmor ptrace mediation
[ Tyler Hicks ] patches/ python- utils-file- support. patch: Support path rules patches/ python- utils-signal- support. patch: Parse and write signal patches/ python- utils-ptrace- support. patch: Parse and write ptrace
* Add new rule type support to aa.py to fix tracebacks when using the Python
utilities in apparmor-utils on systems with AppArmor profiles containing
previously unsupported rule types
- debian/
containing the "file" prefix (LP: #1295346)
- debian/
rules (LP: #1300316)
- debian/
rules (LP: #1300317)...