[pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

[Christian Boltz]

Hello,

Am Sonntag, 21. Oktober 2018, 09:29:09 CEST schrieb intrigeri:
> With 2.13.1:
> 
>   # aa-complain thunderbird
>   Setting /usr/bin/thunderbird to complain mode.
> 
>   ERROR: /etc/apparmor.d/usr.bin.thunderbird doesn't contain a valid
> profile for /usr/bin/thunderbird (syntax error?)
> 
> … and the profile is not set to complain mode.

I had a look at the profile in apparmor-profiles/ubuntu/18.10.
Vincas found a new, creative way to confuse aa-complain ;-)

    @{thunderbird_executable} = /usr/lib/thunderbird/thunderbird{,-bin}
    # ...
    profile thunderbird @{thunderbird_executable} {

The tools currently don't expand variables when matching the profile 
name, therefore it's not surprising that the profile isn't found. 

Additionally, checking the profile name "thunderbird" will also fail 
because aa-complain first does a "which thunderbird" and then checks 
with the full path (tools.py get_next_to_profile()).

As usual if I do some tests, I found more issues:
- the attachment won't be checked if a profile has a name (so using a 
  variable currently doesn't matter ;-)
- aa-complain first does a "which thunderbird" and then checks with the 
  full path, so the profile name also won't match - "thunderbird" != 
  "/usr/bin/thunderbird"
- profile names with alternations (without attachment specification) 
  will also not match because aa.py get_profile_filename() doesn't use 
  AARE

Unfortunately fixing that will need some bigger changes - I'll need to 
replace the existing_profiles dict with something better before I can 
even start to work on adding AARE support etc. Well, actually that 
"something better" will probably handle AARE internally, but I'll still 
need to adjust all places that use existing_profiles to use the 
"something better" ;-)

Unfortunately "bigger changes" also means that backporting might be 
risky :-( - but that still sounds better than keeping all the bugs 
mentioned above.


Maybe (additionally) matching the aa-complain parameter against the 
profile name would be an easy option/workaround, but I'm undecided if 
this is a good idea because it could also cause false positives - 
opinions?

Or to ask the other way round - assuming you have
    profile foo /bin/bar { ... }
should   aa-complain foo   find that profile?

> However, "aa-complain /etc/apparmor.d/usr.bin.thunderbird" works just
> fine: it sets both the thunderbird profile and its child gpg profile
> to complain mode :)  

Right. Currently this way works much better than giving the executable 
as parameter.

> I find this surprising given aa-complain(8) does
> not mention this is possible at all.

Indeed, nice catch ;-)

Can you please open a merge request to update the manpage?
(probably also affects aa-enforce, aa-audit and aa-disable)

While on it, please also adjust the --help of these tools ;-)


Regards,

Christian Boltz
-- 
I fear that we'll get a shouting match - "my fonts look ugly";
"no, they don't!"; "yes, they do!" :)  [Federico Mena Quintero
        in https://bugzilla.novell.com/show_bug.cgi?id=220814]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20181021/4e3a9eba/attachment-0001.sig>