Ubuntu
apparmor package

Px and Ux do not work with globs

Bug #139105 reported by Martin Pitt
4
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: apparmor

In order to solve bug 133818 I need a rule

  # filters are always run as non-root, and there are a lot of
  # third-party drivers which we cannot predict
  /usr/lib/cups/filter/* Ux,

since programs in this directory are always executed as a non-root system user by cups. However, this is rejected: "ERROR processing regexs for profile /usr/sbin/cupsd, failed to load". "Px" does not work either. However, "ix" works, so in general, globs do work for subprocesses.

This forces me to give much more privileges to cupsd itself than necessary. cupsd runs as root, so it really matters there, but the filters do not really need confinement (and can't have, since there are a lot of third-party drivers out there which need unpredictable resources).

Revision history for this message
Dominic Reynolds (dominicr) wrote :

What version of apparmor are you using? I'm assuming that this rejection is from the parser (is displayed when you run /etc/init.d/apparmor reload?).

Revision history for this message
Martin Pitt (pitti) wrote :

Dominic,

right, this is from /etc/init.d/apparmor reload.

I am using version 2.1+961-0ubuntu1, which I built myself from the current Gutsy source package. The previous version is not compatible with the current Gutsy kernel (which has the 2.1 module), and the current source does not build at the moment (since it build-depends on latex2html which is in multiverse).

Revision history for this message
John Johansen (jjohansen) wrote :

It sounds like there are two or more rules in the profile that overlap and have conflicting x mods. AppArmor requires that there is only a single x mode for any given match

eg.
/usr/lib/cups/filter/* Ux,
/usr/lib/** ix,

will conflict because the rule with ix overlaps the rule using Ux. The dfa in AppArmor 2.1 will detect any overlaps that have conflicting x modes and fail the profile load.

Can you attach, or email the profile you are trying to load.

Revision history for this message
Martin Pitt (pitti) wrote :

Hm, that is indeed the case. I already have

  /usr/lib/cups/** ixr,

and some specialized rules like

  /usr/lib/cups/backend/cups-pdf Px.

so that

  /usr/lib/cups/filter/* Ux,

is a subset of the first rule. It seems that apparmor does not have a concept of "prefer more special rules", which would allow that, and other useful constructions like generally permit reading of /etc/** but do not permit reading of /etc/shadow.

Thanks for pointing me at it. I'll reformulate the first /usr/lib/** rule.

Changed in apparmor:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.