[apparmor] Question regarding confining sudo in a child profile

[Simon Deziel]

Hi Hanno,

On 13-10-21 07:13 AM, Hanno Stock wrote:
> Hi everybody,
> 
> I have a question regarding confining use of sudo with a child profile.
> I see some strange behavior (at least to my understanding). I would be
> glad for any pointers in the right direction.
> 
> The situation:
> 
> 1. Ubuntu 12.04 system with AppArmor 2.7 (installed via distribution
> package)
> 2. I have an openvpn daemon which runs some learn-address script via sudo.
> 3. I have a profile for openvpn with a child profile for sudo and a
> named child profile for the learn-address script.
> 
> In the openvpn-profile I have:
> 
> /usr/bin/sudo rCx,
> 
> In the sudo child profile I have:
> 
> /etc/openvpn/scripts/learn-address.sh rCx -> learn_address,
> 
> However I still get kernel logs like this:
> 
> Oct 21 12:23:54 intranet-vpn kernel: [408806.259761] type=1400
> audit(1382351034.874:22653): apparmor="ALLOWED" operation="exec"
> parent=3442 profile="/usr/sbin/openvpn///usr/bin/sudo"
> name="/usr/sbin/ipset" pid=3443 comm="learn-address.s"
> requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> target="/usr/sbin/openvpn///usr/bin/sudo//null-1c8"
> 
> The ipset utility is however run by the learn-address.sh script, not
> directly by sudo. I do not understand why the sudo child profile is used
> here. To my understanding the profile should be "learn_address" which
> allows the execution of ipset.

I think that changing to a subprofile from another subprofile only works
when using fully qualified profile name.

Here is an extract of a profile that does a similar thing:

/usr/local/bin/backuppc-wrapper {
  ...
  /usr/bin/sudo Cx -> sudo_rsync,

  profile sudo_rsync {
    ...
    # XXX: Cx doesn't work. For details, see
    # https://lists.ubuntu.com/archives/apparmor/2012-November/003114.html
    #/usr/bin/rsync Cx -> rsync,
    /usr/bin/rsync px -> /usr/local/bin/backuppc-wrapper//rsync,
  }

  profile rsync {
    #include <abstractions/base>
  }
  ...
}

HTH,
Simon