Running tasks are not subject to reloaded policies
Bug #1236455 reported by
Serge Hallyn
This bug affects 5 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Saucy |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned |
Bug Description
As of saucy, if you start /usr/bin/foo under an existing policy defined
in /etc/apparmor.
with updated permissions, then the running tasks is not subject to the
new permissions.
A testcase is at http://
passes in precise, and fails in saucy.
This came up in the libvirt regression testsuite. When it tries to
virsh attach-device, then the existing libvirt task's policy must be
updated to allow it to access the new device image file. The test fails
with EACCESS trying to open the image file after loading the new policy.
Related branches
CVE References
Changed in apparmor (Ubuntu): | |
importance: | Undecided → High |
tags: | added: application-confinement |
Changed in apparmor (Ubuntu Saucy): | |
status: | New → Confirmed |
importance: | Undecided → High |
milestone: | none → saucy-updates |
Changed in apparmor (Ubuntu Saucy): | |
status: | Confirmed → Fix Committed |
Changed in apparmor: | |
status: | New → Fix Released |
no longer affects: | linux |
affects: | apparmor (Ubuntu Saucy) → linux (Ubuntu Saucy) |
Changed in linux (Ubuntu Trusty): | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
Status changed to 'Confirmed' because the bug affects multiple users.