python tools do not understand 'non-magic' include rules

Bug #1733700 reported by Felix Eckhofer
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Jamie Strandboge
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Won't Fix
Undecided
Jamie Strandboge
Xenial
Won't Fix
Undecided
Jamie Strandboge
Zesty
Won't Fix
Undecided
Jamie Strandboge
Artful
Won't Fix
Undecided
Jamie Strandboge
Bionic
Fix Released
Undecided
Unassigned

Bug Description

The apparmor parser supports 'include' and '#include' rules for specifying absolute paths, but the python tools only understand include rules for so called 'magic' '<>' file locations.

= test case #0 (testsuite) =
$ sudo apt-get install apparmor apparmor-utils # from proposed
$ sudo apt-get build-dep apparmor
$ sudo apt-get install quilt realpath pyflakes pyflakes3 # pyflakes3 on xenial and higher
$ apt-get source apparmor # from proposed
$ cd apparmor-*
$ quilt push -a
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
$ cd libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python
$ make
$ cd ../../binutils
$ make
$ ../parser
$ make
$ cd ../utils
$ make
$ make check

= test case #1 (aa-enforce) =

This assumes test case #0 has been performed.

$ mkdir /tmp/test1 /tmp/test2

$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
  #include "/tmp/test1"
  include "/tmp/test2"
}

$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok

$ sudo aa-enforce /etc/apparmor.d/lp1733700 # currently fails

= test case #2 (aa-genprof) =

This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.

$ cat /tmp/lp1733700
#!/bin/sh
set -e
sh -c "$@"

$ chmod 755 /tmp/lp1733700

# run without confinement:
$ /tmp/lp1733700 'cat /etc/fstab' | head -1
# /etc/fstab: static file system information.

# invoke genprof
$ sudo aa-genprof /tmp/lp1733700
...
[(S)can system log for AppArmor events] / (F)inish - PRESS 's' - currently fails
... don't exercise the application any so we just have the default profile ...
[(S)can system log for AppArmor events] / (F)inish - PRESS 'f'
...
Finished generating profile for /tmp/lp1733700.

$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 15:53:07 2017
#include <tunables/global>

/tmp/lp1733700 {
  #include <abstractions/base>
  #include <abstractions/bash>

  /bin/dash ix,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /tmp/lp1733700 r,

}

= test case #3 (aa-logprof) =

This assumes test case #1 was already performed and /etc/apparmor.d/lp1733700 exists with the above includes.

This also assumes test case #2 was already performed and /etc/apparmor.d/tmp.lp1733700 exists.

Disable kernel rate limiting:
$ sudo sysctl -w kernel.printk_ratelimit=0

Create mark entry in syslog:
$ logger mark-lp1733700

Try running logprof with no new denials:

$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
$

Adjust /etc/apparmor.d/tmp.lp1733700 to add:

  #include "/tmp/test1"
  include "/tmp/test2"

Load it into the kernel:
$ sudo apparmor_parser -r /etc/apparmor.d/tmp.lp1733700

Create a new denial:
$ /tmp/lp1733700 'uptime'
sh: 1: uptime: Permission denied
$

Try running logprof:

$ sudo aa-logprof -m mark-lp1733700 # currently fails
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.

Profile: /tmp/lp1733700
Execute: /usr/bin/uptime
Severity: unknown

(I)nherit / (C)hild / (N)amed / (X) ix On / (D)eny / Abo(r)t / (F)inish
...
The following local profiles were changed. Would you like to save them?
<PRESS 'i'>
 [1 - /tmp/lp1733700]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<PRESS 's'>

Writing updated profile for /tmp/lp1733700.
$

Verify the profile for 'uptime' addition and that the /tmp/test1 and /tmp/test2 includes were not removed (it is ok that they are both '#include'):

$ sudo cat /etc/apparmor.d/tmp.lp1733700
# Last Modified: Wed Dec 20 16:19:19 2017
#include <tunables/global>

/tmp/lp1733700 {
  #include "/tmp/test1"
  #include "/tmp/test2"
  #include <abstractions/base>
  #include <abstractions/bash>

  /bin/dash ix,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /tmp/lp1733700 r,
  /usr/bin/uptime mrix,

}

= test case #4 (aa-mergeprof) =

$ mkdir -p /tmp/aa-mergeprof/new
$ mkdir /tmp/aa-mergeprof/new/tunables /tmp/aa-mergeprof/new/abstractions
$ touch /tmp/aa-mergeprof/new/tunables/global /tmp/aa-mergeprof/new/abstractions/base /tmp/aa-mergeprof/new/abstractions/bash
$ cp -a /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old

$ cat /tmp/aa-mergeprof/old/tmp.lp1733700 # no test2 include or cat
#include <tunables/global>

/tmp/lp1733700 {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include "/tmp/test1"

  /bin/dash ix,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /tmp/lp1733700 r,
  /usr/bin/uptime mrix,

}

$ cat /tmp/aa-mergeprof/new/tmp.lp1733700 # no test1 include or uptime
#include <tunables/global>

/tmp/lp1733700 {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include "/tmp/test2"

  /bin/dash ix,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /tmp/lp1733700 r,
  /bin/cat ixr,

}

$ sudo aa-mergeprof -d /tmp/aa-mergeprof/new /tmp/aa-mergeprof/old/tmp.lp1733700
...
 [1 - #include "/tmp/test1"]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
<PRESS 'a'>
...
 [1 - /usr/bin/uptime mrix,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish
<PRESS 'a'>
...
The following local profiles were changed. Would you like to save them?

 [1 - /tmp/lp1733700]
(S)ave Changes / [(V)iew Changes] / Abo(r)t / (I)gnore - PRESS 's'
Writing updated profile for /tmp/lp1733700.
$

Verify /tmp/aa-mergeprof/new/tmp.lp1733700 has test1, test2, cat and uptime (old mergeprof would discard includes with absolute paths):
$ cat /tmp/aa-mergeprof/new/tmp.lp1733700
# Last Modified: Wed Dec 20 17:16:34 2017
#include <tunables/global>

/tmp/lp1733700 {
  #include "/tmp/test1"
  #include "/tmp/test2"
  #include <abstractions/base>
  #include <abstractions/bash>

  /bin/cat rix,
  /bin/dash ix,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  /tmp/lp1733700 r,
  /usr/bin/uptime mrix,

}

Note that the original description said that changing the rule from 'include' to '#include' fixed the issue when in reality it only allowed the rule to parse as a comment instead of erroring.

= Original description =
The apparmor_parser now supports 'include' rules in addition to '#include', but the python tools only understand '#include'. This manifested itself in Ubuntu in bug #1734038 (see https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1734038/comments/15 of that bug for details).

Reproducer:

$ mkdir /tmp/test

$ cat /etc/apparmor.d/lp1733700
profile lp1733700 {
  include "/tmp/test"
}

$ apparmor_parser -QTK /etc/apparmor.d/lp1733700 && echo ok
ok

$ sudo aa-enforce /etc/apparmor.d/lp1733700
ERROR: Syntax Error: Missing '}' or ','. Reached end of file /etc/apparmor.d/lp1733700 while inside profile lp1733700

Changing the 'include' to '#include' results in:
$ sudo aa-enforce /etc/apparmor.d/lp1733700
Setting /etc/apparmor.d/lp1733700 to enforce mode.

At least aa-logprof is also affected.

= Original report =
On Ubuntu artful, I'm seeing the following behavior:

    $ aa-enforce usr.bin.chromium-browser

    ERROR: Syntax Error: Unknown line found in file /etc/apparmor.d/snap.core.3440.usr.lib.snapd.snap-confine line 15:
        include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,

I have never touched snap.core.3440.usr.lib.snapd.snap-confine.
This is snapd 2.28.5+17.10.

Changed in snapd (Ubuntu):
assignee: nobody → Zygmunt Krynicki (zyga)
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Ok, the snapd issue is being tracked in bug #1734038 so I'm going to use this one for the apparmor-utils python utilities upstream bug and Ubuntu SRU. More details to come.

affects: snapd (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
assignee: Zygmunt Krynicki (zyga) → Jamie Strandboge (jdstrand)
description: updated
summary: - aa-enforce fails due to syntax error in snapd.snap-confine profile
+ apparmor python tools do not understand 'include' rules
Changed in apparmor (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
Changed in apparmor:
status: New → Triaged
Changed in apparmor (Ubuntu Bionic):
status: Triaged → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: apparmor python tools do not understand 'include' rules
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I took a quick look at this bug to attempt to locate the problem. I originally thought it was due to the Python utils' parser not supporting include rules that are missing a leading '#' but that's not the case since the regex in utils/apparmor/regex.py supports such an include rule:

  RE_INCLUDE = re.compile('^\s*#?include\s*<(?P<magicpath>.*)>' + RE_EOL)

The problem here is due to the regex only supporting include paths that are surrounded by <>. The apparmor_parser allows for absolute include paths to be surrounded by "" or by nothing at all and that is what the Python utils do not currently support.

Also note that there are existing, but commented out, tests for this style of include rules in utils/test/test-regex_matches.py:

class Test_re_match_include(AATest):
    tests = [
...
        # ('include foo', 'foo' ), # XXX not supported in tools yet
        # ('include /foo/bar', '/foo/bar' ), # XXX not supported in tools yet
        # ('include "foo"', 'foo' ), # XXX not supported in tools yet
        # ('include "/foo/bar"', '/foo/bar' ), # XXX not supported in tools yet

...
    ]

Changed in apparmor:
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
summary: - apparmor python tools do not understand 'include' rules
+ python tools do not understand 'non-magic' include rules
Changed in apparmor (Ubuntu Trusty):
status: New → Triaged
Changed in apparmor (Ubuntu Xenial):
status: New → Triaged
Changed in apparmor (Ubuntu Zesty):
status: New → Triaged
Changed in apparmor (Ubuntu Artful):
status: New → Triaged
Changed in apparmor (Ubuntu Bionic):
status: New → Triaged
description: updated
description: updated
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The was fixed upstream in 2.12.

Changed in apparmor:
status: In Progress → Fix Released
Changed in apparmor (Ubuntu Bionic):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Changed in apparmor (Ubuntu Trusty):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Xenial):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Zesty):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Artful):
assignee: nobody → Jamie Strandboge (jdstrand)
description: updated
description: updated
description: updated
description: updated
Changed in apparmor (Ubuntu Artful):
status: Triaged → In Progress
Changed in apparmor (Ubuntu Xenial):
status: Triaged → In Progress
Changed in apparmor (Ubuntu Trusty):
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Due to the builder being down for meltdown/spectre, the patches for this were delayed. However, the 3rd core snap without the issue (2.29.4.2, 2.30 and the upcoming 2.31.1) that caused this problem is about to be released meaning the affected core snap revision is about to be reaped which will resolve this bug for those users. As a result, marking all stable releases of Ubuntu as Won't Fix. Bionic will be fixed with the upcoming 2.12 merge from Debian.

Changed in apparmor (Ubuntu Zesty):
status: Triaged → Won't Fix
Changed in apparmor (Ubuntu Trusty):
status: In Progress → Won't Fix
Changed in apparmor (Ubuntu Xenial):
status: In Progress → Won't Fix
Changed in apparmor (Ubuntu Artful):
status: In Progress → Won't Fix
Changed in apparmor (Ubuntu Bionic):
status: In Progress → Triaged
assignee: Jamie Strandboge (jdstrand) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu1

---------------
apparmor (2.12-4ubuntu1) bionic; urgency=medium

  [ Tyler Hicks ]
  * Merge from Debian to get gbp-pq related packaging improvements. Thanks to
    intrigeri for making those improvements! Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
    - Feature pinning is not used in Ubuntu

  [ intrigeri ]
  * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
    the Ubuntu packaging is maintained.

apparmor (2.12-4) unstable; urgency=medium

  * Migrate patch handling to gbp-pq (Closes: #888244).
  * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
    - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
      new patch, properly identify empty ouid/fsuid fields in logs.
    - upstream-commit-130958a-allow-shell-helper-read-locale.patch:
      new patch, allow the shell helper regression test program read
      the locale.

 -- Tyler Hicks <email address hidden> Mon, 19 Mar 2018 16:24:57 +0000

Changed in apparmor (Ubuntu Bionic):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.