[pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails
Christian Boltz
debian-bugs at cboltz.de
Sun Oct 21 15:49:29 BST 2018
Hello,
Am Sonntag, 21. Oktober 2018, 09:29:09 CEST schrieb intrigeri:
> With 2.13.1:
>
> # aa-complain thunderbird
> Setting /usr/bin/thunderbird to complain mode.
>
> ERROR: /etc/apparmor.d/usr.bin.thunderbird doesn't contain a valid
> profile for /usr/bin/thunderbird (syntax error?)
>
> … and the profile is not set to complain mode.
I had a look at the profile in apparmor-profiles/ubuntu/18.10.
Vincas found a new, creative way to confuse aa-complain ;-)
@{thunderbird_executable} = /usr/lib/thunderbird/thunderbird{,-bin}
# ...
profile thunderbird @{thunderbird_executable} {
The tools currently don't expand variables when matching the profile
name, therefore it's not surprising that the profile isn't found.
Additionally, checking the profile name "thunderbird" will also fail
because aa-complain first does a "which thunderbird" and then checks
with the full path (tools.py get_next_to_profile()).
As usual if I do some tests, I found more issues:
- the attachment won't be checked if a profile has a name (so using a
variable currently doesn't matter ;-)
- aa-complain first does a "which thunderbird" and then checks with the
full path, so the profile name also won't match - "thunderbird" !=
"/usr/bin/thunderbird"
- profile names with alternations (without attachment specification)
will also not match because aa.py get_profile_filename() doesn't use
AARE
Unfortunately fixing that will need some bigger changes - I'll need to
replace the existing_profiles dict with something better before I can
even start to work on adding AARE support etc. Well, actually that
"something better" will probably handle AARE internally, but I'll still
need to adjust all places that use existing_profiles to use the
"something better" ;-)
Unfortunately "bigger changes" also means that backporting might be
risky :-( - but that still sounds better than keeping all the bugs
mentioned above.
Maybe (additionally) matching the aa-complain parameter against the
profile name would be an easy option/workaround, but I'm undecided if
this is a good idea because it could also cause false positives -
opinions?
Or to ask the other way round - assuming you have
profile foo /bin/bar { ... }
should aa-complain foo find that profile?
> However, "aa-complain /etc/apparmor.d/usr.bin.thunderbird" works just
> fine: it sets both the thunderbird profile and its child gpg profile
> to complain mode :)
Right. Currently this way works much better than giving the executable
as parameter.
> I find this surprising given aa-complain(8) does
> not mention this is possible at all.
Indeed, nice catch ;-)
Can you please open a merge request to update the manpage?
(probably also affects aa-enforce, aa-audit and aa-disable)
While on it, please also adjust the --help of these tools ;-)
Regards,
Christian Boltz
--
I fear that we'll get a shouting match - "my fonts look ugly";
"no, they don't!"; "yes, they do!" :) [Federico Mena Quintero
in https://bugzilla.novell.com/show_bug.cgi?id=220814]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20181021/4e3a9eba/attachment-0001.sig>
More information about the pkg-apparmor-team
mailing list