From 741de7f87b615226b4920a09fb2931d1d9222d36 Mon Sep 17 00:00:00 2001 From: Tyler Hicks Date: Fri, 10 Mar 2017 23:16:43 +0000 Subject: [PATCH 1/2] parser: Preserve unknown profiles when restarting apparmor init/job/unit CVE-2017-6507 https://launchpad.net/bugs/1668892 The common AppArmor 'restart' code used by some init scripts, upstart jobs, and/or systemd units contained functionality that is no longer appropriate to retain. Any profiles not found /etc/apparmor.d/ were assumed to be obsolete and were unloaded. That behavior became problematic now that there's a growing number of projects that maintain their own internal set of AppArmor profiles outside of /etc/apparmor.d/. It resulted in the AppArmor 'restart' code leaving some important processes running unconfined. A couple examples are profiles managed by LXD and Docker. Signed-off-by: Tyler Hicks --- parser/rc.apparmor.functions | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions index ecff317..d8907ec 100644 --- a/parser/rc.apparmor.functions +++ b/parser/rc.apparmor.functions @@ -451,34 +451,7 @@ __apparmor_restart() { configure_owlsm parse_profiles reload - # Clean out running profiles not associated with the current profile - # set, excluding the libvirt dynamically generated profiles. - # Note that we reverse sort the list of profiles to remove to - # ensure that child profiles (e.g. hats) are removed before the - # parent. We *do* need to remove the child profile and not rely - # on removing the parent profile when the profile has had its - # child profile names changed. - profiles_names_list | awk ' -BEGIN { - while (getline < "'${SFS_MOUNTPOINT}'/profiles" ) { - str = sub(/ \((enforce|complain)\)$/, "", $0); - if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0) - arr[$str] = $str - } -} - -{ if (length(arr[$0]) > 0) { delete arr[$0] } } -END { - for (key in arr) - if (length(arr[key]) > 0) { - printf("%s\n", arr[key]) - } -} -' | LC_COLLATE=C sort -r | while IFS= read profile ; do - echo -n "$profile" > "$SFS_MOUNTPOINT/.remove" - done - # will not catch all errors, but still better than nothing rc=$? aa_log_end_msg $rc return $rc -- 2.7.4