Ubuntu
apparmor-easyprof-ubuntu-snappy package

apparmor policy forbids running various /bin/*

Bug #1400306 reported by Martin Pitt
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu-snappy (Ubuntu)
Fix Released
High
Jamie Strandboge

Bug Description

A project of mine calls uname in its wrappers:

/apps/testapp/0.1/setup.sh: line 21: /bin/uname: Permission denied

[ 993.457524] audit: type=1400 audit(1418042729.948:12): apparmor="DENIED" operation="exec" profile="testapp_testbin_0.1" name="/bin/uname" pid=1032 comm="testbin" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[ 993.457556] audit: type=1400 audit(1418042729.948:13): apparmor="DENIED" operation="open" profile="testapp_testbin_0.1" name="/bin/uname" pid=1032 comm="testbin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

See original description
Martin Pitt (pitti)
summary: - apparmor policy forbids running uname
+ apparmor policy forbids running /bin/uname
Changed in snappy-ubuntu:
assignee: nobody → Jamie Strandboge (jdstrand)
summary: - apparmor policy forbids running /bin/uname
+ apparmor policy forbids running various /bin/*
Revision history for this message
Martin Pitt (pitti) wrote :

We also currently disallow running /usr/bin/python*.

Revision history for this message
Alexander Sack (asac) wrote :

two ways to look at it:

1. we should allow running all non-risky commands from base system
2. these things might go away eventually (after snappy rewrite and system strip to just the bare minimum), but in general we say you can use what is on the base system, so wouldnt affect that we should fix this

Revision history for this message
Alexander Sack (asac) wrote :

breaks core security experience by being too restrictive; marking as devel and safe xp

Changed in snappy-ubuntu:
importance: Undecided → High
status: New → Confirmed
tags: added: snappy-xp-devel snappy-xp-security
Martin Pitt (pitti)
information type: Embargoed → Public
Alexander Sack (asac)
information type: Public → Private
Martin Pitt (pitti)
description: updated
information type: Private → Public
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is in vivid NEW awaiting approval.

Changed in snappy-ubuntu:
status: Confirmed → Fix Committed
Jamie Strandboge (jdstrand)
affects: snappy-ubuntu → apparmor-easyprof-ubuntu-snappy (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu-snappy - 1.3.4

---------------
apparmor-easyprof-ubuntu-snappy (1.3.4) vivid; urgency=medium

  * ubuntu-snappy/docker-1.3_client: update for ever changing paths
  * ubuntu-snappy/networking: add read for @{PROC}/sys/net/core/somaxconn
  * ubuntu-snappy/default (LP: #1400306):
    - add uptime and uname
    - add dash
    - add read access to /etc/inputrc, but not @{HOME}/.inputrc
    - also allow python2 and perl5*
    - use @{HOMEDIRS}/*/ instead of @{HOMEDIRS}/
    - allow @{PROC}/sys/kernel/hostname
    - allow @{PROC}/sys/kernel/osrelease
 -- Jamie Strandboge <email address hidden> Thu, 04 Dec 2014 15:00:29 -0600

Changed in apparmor-easyprof-ubuntu-snappy (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.