Ubuntu
apparmor package

apparmor_parser does not allow regex when using change_profile

Bug #390810 reported by Jamie Strandboge on 2009-06-22

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Fix Released	Wishlist	John Johansen
	Karmic	Fix Released	Wishlist	John Johansen

Bug Description

Binary package hint: apparmor

Using the following in a profile is not recognized by apparmor_parser:

change_profile -> [0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,

It also does not recognize any of these characters at all: '[]-*'. It would be nice if change_profile would support regular expressions just as normal rules do.

See original description

Related branches

lp:~ubuntu-core-dev/apparmor/ubuntu

lp:ubuntu/karmic/apparmor

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-06-22:

#1

Assigned to John based on discussion on IRC.

Changed in apparmor (Ubuntu):
assignee:	nobody → John Johansen (jjohansen)
importance:	Undecided → Medium
milestone:	none → karmic-alpha-6
status:	New → Confirmed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-07-19:

#2

This bug was originally found on Jaunty. Retested and it also affects Karmic. This is a blocker for https://wiki.ubuntu.com/SecurityTeam/Specifications/AppArmorLibvirtProfile (bug #388422).

description:

updated

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-07-19:

#3

Marking to High due to blocking a blueprint.

Changed in apparmor (Ubuntu Karmic):
importance:	Medium → High

Revision history for this message

Kees Cook (kees) wrote on 2009-07-19:

#4

The lexer needs either a leading slash or a variable name to indicate the start of a token. As a work-around:

#include <tunables/global>
@{EMPTY}=""

/usr/sbin/libvirtd flags=(complain) {
...
change_profile -> @{EMPTY}[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,

Should the target profile be name-spaced? i.e. libvirtd-@{EMPTY}[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* ?

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-07-20:

#5

Changing to Wishlist and removing milestone. This is no longer a blocker and can be worked around by doing:
#include <tunables/global>
@{LIBVIRT}="libvirt"

/usr/sbin/libvirtd {
  ...
  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
  ...

Thanks Kees!

Changed in apparmor (Ubuntu Karmic):
importance:	High → Wishlist
milestone:	karmic-alpha-6 → none

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-08-04:

#6

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu8

---------------
apparmor (2.3.1+1403-0ubuntu8) karmic; urgency=low

  * Update to upstream subversion r1431.
    - change_profile can use regex (LP: #390810, #401931)
  * debian/apparmor.init: always clear cache on reload.

-- Kees Cook <email address hidden> Mon, 03 Aug 2009 07:46:33 -0700

Changed in apparmor (Ubuntu Karmic):
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.