[apparmor] [Bug 1001024] [NEW] aa-logprof "new path" confirmation incorrect with filenames including metacharacters

Seth Arnold 1001024 at bugs.launchpad.net
Thu May 17 22:43:04 UTC 2012 

Public bug reported:

The debsums program needed to access some data in /tmp/dQK_wRVzCn/g++/
in the course of its checksumming.

When writing the profile with aa-logprof, I used the New functionality
to replace the random-looking content with an * and got the following
funny messages:

|  Profile:  /usr/bin/debsums
|  Path:     /tmp/dQK_wRVzCn/g\+\+/
|  Old Mode: r
|  New Mode: rw
|  Severity: unknown
|
|
|   [1 - /tmp/dQK_wRVzCn/g\+\+/]
|    2 - /**
|
|  [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
|  Enter new path: /tmp/*/g\+\+/
|
|  The specified path does not match this log entry:
|
|    Log Entry:    /tmp/dQK_wRVzCn/g\+\+/
|    Entered Path: /tmp/*/g\+\+/
|
|  Do you really want to use this path?
|
|
|  (Y)es / [(N)o]

There's a few oddities here; first, the Filename: line is showing an
_escaped_ version of the filename rather than the raw filename. Second,
the "specified path does not match this log entry" check appears to be
checking against the escaped version of the name, and not the filename
that was actually referenced. (I used the readline facility to replace
only the random-looking content with an asterisk, so I'm confident I
didn't screw it up.)

I'm not sure which specific audit entries generated these questions, but
some of the lines from the log file:

type=AVC msg=audit(1337117164.559:422): apparmor="ALLOWED" operation="mkdir" parent=15532 profile="/usr/bin/debsums//null-30" name="/tmp/dQK_wRVzCn/g++/" pid=15535 comm="dpkg-deb" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
type=AVC msg=audit(1337117164.559:461): apparmor="ALLOWED" operation="getattr" parent=15532 profile="/usr/bin/debsums//null-30//null-31" name="/tmp/dQK_wRVzCn/g++/" pid=15535 comm="tar" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


You can recreate this through a slightly complicated set of steps:

cd /tmp
cp /bin/cat /tmp/cat
mkdir -p foo/g++
echo foo > foo/g++/foo
aa-genprof /tmp/cat
/tmp/cat foo/g++/foo

Replace the first 'foo' with a '*' using the New option, and you'll be
able to see this yourself.

ii  apparmor             2.7.102-0ubuntu3     User-space parser utility for AppArmor
ii  apparmor-utils       2.7.102-0ubuntu3     Utilities for controlling AppArmor

** Affects: apparmor
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/1001024

Title:
  aa-logprof "new path" confirmation incorrect with filenames including
  metacharacters

Status in AppArmor Linux application security framework:
  New

Bug description:
  The debsums program needed to access some data in /tmp/dQK_wRVzCn/g++/
  in the course of its checksumming.

  When writing the profile with aa-logprof, I used the New functionality
  to replace the random-looking content with an * and got the following
  funny messages:

  |  Profile:  /usr/bin/debsums
  |  Path:     /tmp/dQK_wRVzCn/g\+\+/
  |  Old Mode: r
  |  New Mode: rw
  |  Severity: unknown
  |
  |
  |   [1 - /tmp/dQK_wRVzCn/g\+\+/]
  |    2 - /**
  |
  |  [(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
  |  Enter new path: /tmp/*/g\+\+/
  |
  |  The specified path does not match this log entry:
  |
  |    Log Entry:    /tmp/dQK_wRVzCn/g\+\+/
  |    Entered Path: /tmp/*/g\+\+/
  |
  |  Do you really want to use this path?
  |
  |
  |  (Y)es / [(N)o]

  There's a few oddities here; first, the Filename: line is showing an
  _escaped_ version of the filename rather than the raw filename.
  Second, the "specified path does not match this log entry" check
  appears to be checking against the escaped version of the name, and
  not the filename that was actually referenced. (I used the readline
  facility to replace only the random-looking content with an asterisk,
  so I'm confident I didn't screw it up.)

  I'm not sure which specific audit entries generated these questions,
  but some of the lines from the log file:

  type=AVC msg=audit(1337117164.559:422): apparmor="ALLOWED" operation="mkdir" parent=15532 profile="/usr/bin/debsums//null-30" name="/tmp/dQK_wRVzCn/g++/" pid=15535 comm="dpkg-deb" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
  type=AVC msg=audit(1337117164.559:461): apparmor="ALLOWED" operation="getattr" parent=15532 profile="/usr/bin/debsums//null-30//null-31" name="/tmp/dQK_wRVzCn/g++/" pid=15535 comm="tar" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  
  You can recreate this through a slightly complicated set of steps:

  cd /tmp
  cp /bin/cat /tmp/cat
  mkdir -p foo/g++
  echo foo > foo/g++/foo
  aa-genprof /tmp/cat
  /tmp/cat foo/g++/foo

  Replace the first 'foo' with a '*' using the New option, and you'll be
  able to see this yourself.

  ii  apparmor             2.7.102-0ubuntu3     User-space parser utility for AppArmor
  ii  apparmor-utils       2.7.102-0ubuntu3     Utilities for controlling AppArmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1001024/+subscriptions

More information about the AppArmor mailing list