Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface

To: John Johansen <john.johansen@canonical.com>, Kees Cook <kees@debian.org>
Cc: Ben Hutchings <ben@decadent.org.uk>, 661151@bugs.debian.org, micah anderson <micah@riseup.net>
Subject: Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface
From: intrigeri <intrigeri@boum.org>
Date: Sun, 03 Jun 2012 01:16:52 +0200
Message-id: <[🔎] 85mx4lqp7f.fsf@boum.org>
Reply-to: intrigeri <intrigeri@boum.org>, 661151@bugs.debian.org
In-reply-to: intrigeri@boum.org's message of "Thu\, 31 May 2012 15\:14\:13 +0200"
References: <87mx4pr9k9.fsf@algae.riseup.net> <4FC6B14B.70803@canonical.com> <1338426659.708.15.camel@deadeye> <4FC6DEE6.9090407@canonical.com> <1338434649.708.36.camel@deadeye>

intrigeri wrote (31 May 2012 13:14:13 GMT) :
>> Looking back over the bug log, I see that wasn't requested, so I'm
>> only applying 'AppArmor: compatibility patch for v5 interface' now.

Unfortunately, the resulting kernel (linux-image-3.2.0-2-amd64
3.2.19-1), combined with the AppArmor userspace tools currently in sid
(2.7.103-2), displays worse behaviour than the previous one.

Loading a profile shipped with apparmor-profiles fails:

  $ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.avahi-daemon
  apparmor_parser: Unable to replace "/usr/sbin/avahi-daemon".  Profile doesn't conform to protocol
  zsh: exit 234   sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.avahi-daemon

... as a result, usr.sbin.avahi-daemon does not show up in the
cache directory.

Another one fails differently:

  $ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.chromium-browser 
  zsh: exit 185   sudo apparmor_parser -r /etc/apparmor.d/usr.bin.chromium-browser

... but is cached nevertheless:

  $ ls -l /etc/apparmor.d/cache/usr.bin.chromium-browser
  -rw------- 1 root root 251K juin   2 18:59 /etc/apparmor.d/cache/usr.bin.chromium-browser

Kernel log excerpt for this last attempt:

  type=1400 audit(1338678658.161:166): apparmor="STATUS" info="failed
  to unpack profile" error=-71 pid=21836 comm="apparmor_parser"
  name="/usr/lib/chromium-browser/chromium-browser" offset=171
  type=1400 audit(1338678658.161:167): apparmor="STATUS"
  operation="profile_replace" pid=21836 comm="apparmor_parser"
  audit(1338678658.165:168): apparmor="STATUS" info="failed to unpack
  profile" error=-71 pid=21836 comm="apparmor_parser"
  name="/usr/lib/chromium-browser/chromium-browser//browser_java"
  offset=166 type=1400 audit(1338678658.165:169): apparmor="STATUS"
  operation="profile_replace" pid=21836 comm="apparmor_parser"

In any case, neither the profiles that end up cached not the ones that
seemingly fail to load earlier are applied to processes. So, this is
a regression against the previous state of AppArmor support in Debian.

I'm unsure the kernel is at fault / the place where something must
be improved.

John, Kees, may you please check why the patch that was applied to
this Debian kernel could possibly expose such a bug?

I've seen similar old issues on Launchpad (e.g. LP#968956), but most
don't apply to the version of the userspace tools we ship in sid.

Reply to:

Prev by Date: Bug#639919: linux-2.6: please enable DEBUG_STRICT_USER_COPY_CHECKS
Next by Date: Bug#664767: Brcmsmac driver woes, possible regression?
Previous by thread: Bug#609638: marked as done (Please, include p4-clockmod on linux-image)
Next by thread: Bug#675813: Test bug - to be closed
Index(es):
- Date
- Thread