2012-04-10 13:38:38 |
John Johansen |
bug |
|
|
added bug |
2012-04-10 13:40:05 |
John Johansen |
apparmor (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
2012-04-10 13:40:48 |
John Johansen |
bug watch added |
|
mailto:john.johansen@canonical.com |
|
2012-04-10 13:40:48 |
John Johansen |
bug task added |
|
linux |
|
2012-04-10 15:15:11 |
Joseph Salisbury |
linux: importance |
Undecided |
Medium |
|
2012-04-12 16:27:01 |
Launchpad Janitor |
apparmor (Ubuntu): status |
New |
Fix Released |
|
2012-04-12 16:49:18 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/apparmor |
|
2012-05-22 15:59:16 |
John Johansen |
linux: status |
New |
Invalid |
|
2012-05-22 15:59:33 |
John Johansen |
bug task added |
|
linux (Ubuntu) |
|
2012-05-22 15:59:44 |
John Johansen |
linux (Ubuntu): status |
New |
In Progress |
|
2012-05-22 15:59:51 |
John Johansen |
nominated for series |
|
Ubuntu Precise |
|
2012-05-22 15:59:51 |
John Johansen |
bug task added |
|
apparmor (Ubuntu Precise) |
|
2012-05-22 15:59:51 |
John Johansen |
bug task added |
|
linux (Ubuntu Precise) |
|
2012-05-22 15:59:51 |
John Johansen |
nominated for series |
|
Ubuntu Quantal |
|
2012-05-22 15:59:51 |
John Johansen |
bug task added |
|
apparmor (Ubuntu Quantal) |
|
2012-05-22 15:59:51 |
John Johansen |
bug task added |
|
linux (Ubuntu Quantal) |
|
2012-05-22 16:00:01 |
John Johansen |
linux (Ubuntu Precise): status |
New |
In Progress |
|
2012-05-22 16:00:15 |
John Johansen |
apparmor (Ubuntu Precise): status |
New |
Fix Released |
|
2012-05-22 16:00:22 |
John Johansen |
apparmor (Ubuntu Precise): assignee |
|
John Johansen (jjohansen) |
|
2012-05-22 16:00:25 |
John Johansen |
linux (Ubuntu Precise): assignee |
|
John Johansen (jjohansen) |
|
2012-05-22 16:00:29 |
John Johansen |
linux (Ubuntu Quantal): assignee |
|
John Johansen (jjohansen) |
|
2012-05-22 16:07:44 |
John Johansen |
description |
When a task is confined by an apparmor profile and specifies a change to "unconfined" by name the transition fails even though it is allowed by policy. The failure can be replicated by using any of the following mechanisms,
self directed transitions using change_profile, change_onexec with the correct change_profile rule
change_profile -> unconfined,
px, cx named profile transitions
/example px -> unconfined,
This is particularly problematic for transitions to a new namespace.
/example px -> :new_ns:unconfined, |
== Precise SRU Justification ==
Application trying to leave confinement when they are allowed fail, causing cascading failures. This is affecting LXC where the system is confining the container and tries to drop confinement.
== Fix ==
Commit bf83208e0b7f5938f5a7f6d9dfa9960bf04692fa from security/next queue for 3.5 kernel fixes the issue
== Impact ==
With out this fix some uses of LXC experience failures that the user must work around by disabling the apparmor profile for LXC.
== Test Case ==
Run tests in from the updated apparmor regression test suite in qrt.
or manually
create a confined shell, containing the rule
change_profile -> **,
from the confined shell call
aa-exec -p unconfined
without the patch this will fail, reporting that the profile could not be found
When a task is confined by an apparmor profile and specifies a change to "unconfined" by name the transition fails even though it is allowed by policy. The failure can be replicated by using any of the following mechanisms,
self directed transitions using change_profile, change_onexec with the correct change_profile rule
change_profile -> unconfined,
px, cx named profile transitions
/example px -> unconfined,
This is particularly problematic for transitions to a new namespace.
/example px -> :new_ns:unconfined, |
|
2012-05-22 17:21:36 |
Tim Gardner |
linux (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2012-05-22 17:23:40 |
Tim Gardner |
linux (Ubuntu Quantal): status |
In Progress |
Fix Committed |
|
2012-05-26 01:40:14 |
Launchpad Janitor |
linux (Ubuntu Quantal): status |
Fix Committed |
Fix Released |
|
2012-05-28 09:27:50 |
Luis Henriques |
tags |
|
verification-needed-precise |
|
2012-06-01 15:42:23 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/linux-ti-omap4 |
|
2012-06-01 20:17:19 |
John Johansen |
tags |
verification-needed-precise |
verification-done-precise |
|
2012-06-13 15:07:12 |
Launchpad Janitor |
linux (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
2012-06-13 15:07:12 |
Launchpad Janitor |
cve linked |
|
2012-2133 |
|
2012-06-13 15:07:12 |
Launchpad Janitor |
cve linked |
|
2012-2313 |
|
2012-06-25 20:24:37 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/linux-armadaxp |
|
2012-11-14 21:30:44 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/linux-lowlatency |
|