[apparmor] Some apparmor profile statements are not honored for an application

John Ernberg john.ernberg at actia.se
Mon Aug 31 14:54:06 UTC 2020 

Hi,

I seem to have a bit of an odd problem in that some of the profile 
statements do not appear honored and the library loads they statements 
allow are thus denied. There is the only program in the system so far 
that is running confined. The program in question only handles files and 
library loads.

I double checked the syntax of the failing rules, they are aligned with 
functional rules. I re-did them by copy-pasting the file name in the 
audit message and then copy-pasted the flags from a functional rule, 
just to be sure. No change.

I have checked the statemachine produced with apparmor_parse -D 
dfa-states and it looks correct, however, when I dump the statemachine 
transitions in the kernel they are a little off compared to the 
statemachine generated by apparmor_parse -D dfa-states command when 
logging in aa_dfa_match on the kernel side, it really looks like the 
machine makes incorrect lookups.

I have noticed transitions to IDs other than those expected when 
comparing to the dfa-states, and it seems to start skipping characters 
in the paths or going beyond the end of the path string for some paths.
These paths are the paths for which statements are not honored.

Trying to add debug to the match_char macro on the kernel side seems to 
break the statemachine completely, so I wasn't able to debug this route 
further.

I'm running version 2.13.3 of the userspace tools, and kernel 5.4.24 
(vendor kernel, can't upgrade, can't try mainline due to missing support 
for the SoC I'm using), with the latest 5.4 stable patches for apparmor 
applied on top.

The rules is compiled on my machine (x86_64) and embedded in my target 
(aarch64) readonly rootfs. Target has a readonly filesystem.

The rule is loaded on target with the following command:
     /sbin/apparmor_parser -K -B /etc/apparmor.d/myprogram
Where myprogram is the profile for my program

So far I have not been able to create a shareable reproducer which, 
unfortunately, makes this all the more harder.

I would appreciate any suggestions in how to proceed or what kind of 
info I should be looking at in order to find out what is going wrong.

Thank you in advance.

Best regards // John Ernberg

(not subscribed to the mailing list)

More information about the AppArmor mailing list