AppArmor file permission 'append' denies file creation

Asked by Damian Gerow on 2014-07-07

All this work is being done on an up-to-date 14.04 server running apparmor{-profiles,-utils} 2.8.95~2430-0ubuntu5.

While trying to sort out the appropriate AppArmor bits to control logging, I'm seeing the file permission 'append' deny create access to a file, where I would have expected this to not be denied. It also denies 'file_perm', but it's unclear if this would be expected to work. I can fix the situation by updating the profile to use the 'write' permission instead of 'append', but this is less than ideal.

http://manpages.ubuntu.com/manpages/trusty/en/man5/apparmor.d.5.html indicates that the 'append' file permission "Allows the program to have a limited appending only write access to the file."

In addition, http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference explicitly states that 'append' grants "permission to create, and extend a file. The append permission is limited that it only gives permission for applications to open a file with O_APPEND, it can not be used to enforce a generic file write is append only."

From https://en.opensuse.org/Archive:AppArmor_2_3_changes#Minor_Semantic_Changes, it appears as though granting 'create' permissions to 'append' is new in AppArmor 2.3.

However, in writing up a simple test program in Go, I'm seeing AppArmor deny create permissions where 'append' is allowed.

The Go code:
-----
func main() {
        logFile, err = os.OpenFile("/opt/test/log/test.log", os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
        n, err := logFile.WriteString("direct write\n")
        if err != nil {
                fmt.Println(n, err)
        }
        log.SetOutput(logFile)
        log.Println("Log file initialized.")
        logFile.Close()
}
-----

The AppArmor profile:
-----
#include <tunables/global>

/opt/test/bin/test {
  #include <abstractions/base>

  /opt/test/log/test.log a,
}
-----

When set to enforce, the program spits out an error:
-----
% /opt/test/bin/test
0 invalid argument
%
-----

And AppArmor logs the DENIED message:
-----
kernel: [ 5687.957758] type=1400 audit(1404743687.548:92): apparmor="DENIED" operation="open" profile="/opt/test/bin/test" name="/opt/test/log/test.log" pid=7766 comm="test" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
-----

When set to complain, the program works as expected (as expected):
-----
% /opt/test/bin/test
%
-----

And AppArmor logs three calls with which it has an issue:
-----
kernel: [ 5949.505626] type=1400 audit(1404743948.872:98): apparmor="ALLOWED" operation="open" profile="/opt/test/bin/test" name="/opt/test/log/test.log" pid=8158 comm="test" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
kernel: [ 5949.505643] type=1400 audit(1404743948.872:99): apparmor="ALLOWED" operation="file_perm" profile="/opt/test/bin/test" name="/opt/test/log/test.log" pid=8158 comm="test" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
kernel: [ 5949.505758] type=1400 audit(1404743948.872:100): apparmor="ALLOWED" operation="file_perm" profile="/opt/test/bin/test" name="/opt/test/log/test.log" pid=8158 comm="test" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
-----

I'm not sure what's going on with the 'file_perm' stuff either -- I thought that would have required 'chmod', but that doesn't appear to be the case.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu apparmor Edit question
Assignee:
No assignee Edit question
Last query:
2014-07-07
Last reply:
2014-07-08

I suggest you report a bug

Can you help with this problem?

Provide an answer of your own, or ask Damian Gerow for more information if necessary.

To post a message you must log in.