911146 – sec-policy/apparmor-profiles-3.1.4: zgrep profile causes permission denied in zgrep with app-alternatives/gzip

Bug 911146 - sec-policy/apparmor-profiles-3.1.4: zgrep profile causes permission denied in zgrep with app-alternatives/gzip

Summary: sec-policy/apparmor-profiles-3.1.4: zgrep profile causes permission denied in...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-07-24 16:28 UTC by Jonas Rakebrandt
Modified:	2024-02-14 09:48 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jonas Rakebrandt 2023-07-24 16:28:49 UTC

Executing zgrep gives a "permission denied" error when running with apparmor enabled.
Logs show that apparmor denies execution of /usr/bin/pigz or /usr/bin/gzip-reference (depending on USE choice in app-alternatives/gzip) because the allowed /usr/bin/gzip is just a symlink to the alternatives.

Reproducible: Always

Steps to Reproduce:
1. Have an apparmor-enabled system
2. Try to use zgrep (e.g. zgrep HZ /proc/config.gz)
Actual Results:  
zgrep fails with "permission denied"

Expected Results:  
zgrep returns the results

Comment 1 Thomas Schneider 2023-09-06 14:31:04 UTC

Workaround:

# cat /etc/apparmor.d/local/zgrep
# Site-specific additions and overrides for 'zgrep'
/bin/gzip-reference Cx -> helper,
/bin/grep Cx -> helper

Depending on /usr merge or app-alternatives/gzip choice, adjust the paths as needed and reload the profile afterwards.