[FFe] apparmor abstract, anonymous and netlink socket mediation

Bug #1362199 reported by Jamie Strandboge on 2014-08-27
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Critical
Jamie Strandboge
apparmor-easyprof-ubuntu (Ubuntu)
Critical
Jamie Strandboge
isc-dhcp (Ubuntu)
Undecided
Jamie Strandboge
libvirt (Ubuntu)
Undecided
Jamie Strandboge
lightdm (Ubuntu)
Undecided
Jamie Strandboge
linux (Ubuntu)
High
John Johansen
linux-flo (Ubuntu)
High
Unassigned
linux-goldfish (Ubuntu)
High
Unassigned
linux-mako (Ubuntu)
High
Unassigned
linux-manta (Ubuntu)
High
Unassigned
rsyslog (Ubuntu)
Undecided
Jamie Strandboge
tlsdate (Ubuntu)
Undecided
Jamie Strandboge

Bug Description

Background: kernel and apparmor userspace updates to support abstract, anonymous and fine-grained netlink socket mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times.

= apparmor userspace =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket for apparmor userspace. When used with a compatible kernel, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this userspace with an old kernel without any issues).

Testing:
* 14.10 system with current kernels lacking abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
 * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: DONE (exploratory manual testing, lxc, libvirt, etc)
* 14.10 system kernel capable of supporting abstract, anonymous and fine-grained netlink socket mediation (non-Touch):
 * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt, etc)
 * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: DONE (except juju since it doesn't have policy itself)

Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.

Extra information:
While the apparmor userspace and kernel changes to support abstract, anonymous and fine-grained netlink socket can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lightdm, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa.

= linux =
Summary:
This feature freeze exception is requested for abstract, anonymous and fine-grained netlink socket via apparmor in the kernel. When used with a compatible apparmor userspace, 'unix' and 'network netlink' rules are supported. When used without a compatible apparmor userspace (eg, on a trusty system with an utopic backport kernel), abstract, anonymous and fine-grained netlink socket mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).

Testing:
* 14.04 system with backported kernel: TODO
 * test-apparmor.py: TODO (runs extensive tests (upstream and distro))
 * exploratory manual testing: TODO (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
 * aa-status: TODO
 * lxc: TODO (containers can be created, started, shutdown)
 * libvirt: TODO (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
* 14.10 system (non-Touch) with updated kernel:
 * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
* 14.10 system (Touch) with updated kernel:
 * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: INPROGRESS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)

Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.

Changed in apparmor (Ubuntu):
importance: Undecided → Critical
tags: added: kernel-bot-stop-nagging
Changed in rsyslog (Ubuntu):
status: New → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in lightdm (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in libvirt (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in isc-dhcp (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in lxc (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in lightdm (Ubuntu):
status: New → In Progress
Changed in libvirt (Ubuntu):
status: New → In Progress
Changed in isc-dhcp (Ubuntu):
status: New → In Progress
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → In Progress
Changed in apparmor (Ubuntu):
status: New → In Progress
Changed in lxc (Ubuntu):
status: New → Triaged

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1362199

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in cups (Ubuntu):
status: New → In Progress
Changed in cups-filters (Ubuntu):
status: New → In Progress
Changed in linux (Ubuntu):
status: Incomplete → In Progress
Changed in cups (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in cups-filters (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
tags: added: kernel-da-key
no longer affects: cups (Ubuntu)
no longer affects: cups-filters (Ubuntu)
Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
Changed in tlsdate (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → In Progress
description: updated
no longer affects: lxc (Ubuntu)
tags: added: rtm14 touch-2014-09-11
Changed in apparmor-easyprof-ubuntu (Ubuntu):
importance: Undecided → Critical
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

isc-dhcp (4.2.4-7ubuntu14) utopic; urgency=medium

  * debian/apparmor-profile.dhclient: add file_inherit inet{,6} dgram rules
    for child profiles

Changed in isc-dhcp (Ubuntu):
status: In Progress → Fix Released
description: updated
description: updated
description: updated
Adam Conrad (adconrad) wrote :

This could use some diffs attached to see how bad the damage is, but as long as the three combinations are tested, I'm fine with this in theory:

1) old kernel and new userspace
2) new kernel and old userspace
3) new kernel and new userspace

Also, it's not clear if the "other packages that need updating in lockstep" thing is a hard dependency or just a "so they can make use of the feature". If it's a hard dependency, you'll need that specified in package relationships (new apparmor should probably have a "Breaks: foo (<< ver), bar (<< ver)" rather than making all of those packages depend on versioned apparmor).

Jamie Strandboge (jdstrand) wrote :

1) old kernel and new userspace
- this is well tested and ready to land now

2) new kernel and old userspace
3) new kernel and new userspace
- these are tested, but need more testing on the kernel side. We are finalizing the kernel and will have these in place for kernel pull requests

Ah, I did not update AppArmor's debian/control for the Breaks like I did for the signal and ptrace mediation, but meant to. Thanks for the reminder, I'll do that now.

Here are the apparmor changes:
https://code.launchpad.net/~apparmor-dev/apparmor/apparmor-ubuntu-citrain.abstract

John Johansen (jjohansen) wrote :

2) new kernel and old userspace

This is currently better tested than 3, but of course needs to be done again with any changes made to the kernel.

Also note that the regression tests been improved and expanded for all three cases

Jamie Strandboge (jdstrand) wrote :

FYI, when booting new userspace with old kernel, the parser will output something like this:
Warning from profile /usr/lib/telepathy/telepathy-ofono (/etc/apparmor.d/usr.lib.telepathy): downgrading extended network unix socket rule to generic network rule

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.6-0ubuntu6

---------------
libvirt (1.2.6-0ubuntu6) utopic; urgency=medium

  * debian/apparmor/usr.sbin.libvirtd: update for abstract socket mediation
    (LP: #1362199)
  * debian/apparmor/libvirt-qemu: allow 'r' on @{PROC}/sys/kernel/cap_last_cap
  * debian/control: Suggests apparmor >= 2.8.96~2541-0ubuntu4~
 -- Jamie Strandboge <email address hidden> Fri, 05 Sep 2014 17:32:16 -0500

Changed in libvirt (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.11.8-0ubuntu2

---------------
lightdm (1.11.8-0ubuntu2) utopic; urgency=medium

  * debian/patches/06_apparmor-unix.patch: updates for unix socket mediation
    (LP: #1362199)
 -- Jamie Strandboge <email address hidden> Fri, 05 Sep 2014 17:34:03 -0500

Changed in lightdm (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rsyslog - 7.4.4-1ubuntu9

---------------
rsyslog (7.4.4-1ubuntu9) utopic; urgency=medium

  * debian/usr.sbin.rsyslog: update for abstract socket mediation
    (LP: #1362199)
  * debian/control: Suggests apparmor >= 2.8.96~2541-0ubuntu4~
 -- Jamie Strandboge <email address hidden> Thu, 04 Sep 2014 09:45:43 -0500

Changed in rsyslog (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.96~2652-0ubuntu3

---------------
apparmor (2.8.96~2652-0ubuntu3) utopic; urgency=medium

  * 08-phpsysinfo-policy-updates.patch: update for new phpsysinfo on Ubuntu
    14.10
  * 09-apache2-policy-instructions.patch: update for recent Debian/Ubuntu
    packaging
  * debian/control: update Breaks for apparmor-easyprof-ubuntu, libvirt-bin,
    and lightdm. Add Breaks on rsyslog.

apparmor (2.8.96~2652-0ubuntu2) utopic; urgency=medium

  * 07-parser-fix_local_perms.patch: do not output local permissions for rules
    that have peer_conditionals. Patch from John Johansen

apparmor (2.8.96~2652-0ubuntu1) utopic; urgency=medium

  * Updated to r2652 snapshot of 2.8.96 (LP: #1362199, LP: #1341152)

  [ Steve Beattie ]
  * removed upstreamed patches:
    - dnsmasq-libvirtd-signal-ptrace.patch
    - update-base-abstraction-for-signals-and-ptrace.patch
    - update-nameservice-abstraction-for-extrausers.patch
  - debian/apparmor-profiles.install: dropped program-chunks/postfix-common,
    moved to abstractions/ and covered by apparmor.install
  - refreshed libapparmor-layout-deb.patch patch
  * Add in Tyler Hicks' regression test improvements:
    - 01-tests-unix_socket_lists.patch,
    - 02-tests-accept_unix_rules_in_mkprofile.patch,
    - 03-tests-unix_sockets_v7_pathnames.patch,
    - 04-tests-migrate_from_poll_to_sockio_timeout.patch,
    - 05-tests-add_abstract_socket_tests.patch,
  * 07-parser-fix_local_perms.patch: do not output local permissions
    for rules that have peer_conditionals

  [ Jamie Strandboge ]
  * add-chromium-browser.patch: update for unix socket mediation
  * drop-peer_addr-with-local-addr-in-base.patch: don't use peer=(addr=none)
    with getattr, getopt, setopt and shutdown

  [ Tyler Hicks ]
  * debian/lib/apparmor/functions, debian/apparmor.init,
    debian/apparmor.upstart: Ensure system policy cache cannot become stale
    after image based upgrades that update the system profiles (LP: #1350673)
  * parser-include-usr-share-apparmor.patch, debian/apparmor.install: Adjust
    the default parser.conf file, to add /usr/share/apparmor as an additional
    search path when resolving include directives in profiles, and install the
    file in /etc/apparmor. Ubuntu places hardware specific access rules in
    /usr/share/apparmor/hardware. This change allows these files to be
    included without using an absolute path (e.g.,
    '#include <hardware/graphics.d>').
 -- Jamie Strandboge <email address hidden> Mon, 08 Sep 2014 16:13:10 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.22

---------------
apparmor-easyprof-ubuntu (1.2.22) utopic; urgency=medium

  * Updates for abstract and anonymous socket mediation (LP: #1362199):
    - ubuntu/*/ubuntu-*:
      + use dbus-strict and dbus-session-strict abstractions and remove
        duplicated policy
      + allow ubuntu-sdk and ubuntu-webapp connect, receive and send on the
        maliit abstract socket
      + allow write access to owner /{,var/}run/user/*/@{APP_PKGNAME}/{,**}
    - ubuntu/*/unconfined: allow unix
    - ubuntu/webview:
      + allow oxide to talk to sandbox via unix sockets
      + allow sandbox to talk to @{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}
        peer
      + allow various unix perms from base abstract for the sandbox to use
        unix sockets
    - debian/control: Depends on apparmor >= 2.8.96~2541-0ubuntu4
  * ubuntu/webview: use @{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION} for
    signal now that we have @{APP_APPNAME} available (LP: #1363112)
  * ubuntu/debug: 'audit deny @{HOME}/.local/share/ r' which is used by the
    SDK to see if confined
  * debian/control: Depends on apparmor >= 2.8.96~2541-0ubuntu4~
 -- Jamie Strandboge <email address hidden> Fri, 05 Sep 2014 15:17:07 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tlsdate - 0.0.7-1.1ubuntu1

---------------
tlsdate (0.0.7-1.1ubuntu1) utopic; urgency=medium

  * debian/control: Suggests apparmor >= 2.8.96~2541-0ubuntu4~
  * debian/patches/apparmor-ubuntu.patch: update for unix and netlink socket
    mediation (LP: #1362199)
 -- Jamie Strandboge <email address hidden> Tue, 02 Sep 2014 20:11:13 -0500

Changed in tlsdate (Ubuntu):
status: In Progress → Fix Released
Changed in linux (Ubuntu):
importance: Undecided → Critical
importance: Critical → High
Changed in linux-mako (Ubuntu):
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu):
importance: High → Critical
importance: Critical → High
Changed in linux-mako (Ubuntu):
importance: High → Critical
Changed in linux-goldfish (Ubuntu):
importance: Undecided → High
status: New → In Progress
Changed in linux-manta (Ubuntu):
importance: Undecided → High
status: New → In Progress
Changed in linux-flo (Ubuntu):
importance: Undecided → High
status: New → In Progress
Changed in linux-mako (Ubuntu):
importance: Critical → High
tags: removed: rtm14
Andy Whitcroft (apw) on 2014-09-22
Changed in linux-manta (Ubuntu):
status: In Progress → Fix Committed
Changed in linux-mako (Ubuntu):
status: In Progress → Fix Committed
Changed in linux-flo (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.16.0-17.23

---------------
linux (3.16.0-17.23) utopic; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1371614
  * [Config] CONFIG_USB_OHCI_HCD_PCI=y
    - LP: #1244176

  [ Andy Whitcroft ]

  * rebase to v3.16.3
  * updateconfigs following rebase to v3.16.3

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot
    - LP: #1362199

  [ Upstream Kernel Changes ]

  * rebase to v3.16.3
 -- Andy Whitcroft <email address hidden> Thu, 18 Sep 2014 13:09:25 +0100

Changed in linux (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-goldfish - 3.4.0-4.23

---------------
linux-goldfish (3.4.0-4.23) utopic; urgency=low

  [ Andy Whitcroft ]

  * SAUCE: ensure that if the first firmware is top level the firmware
    directory is made.
    Fixes FTBS
 -- Tim Gardner <email address hidden> Mon, 22 Sep 2014 11:59:19 -0600

Changed in linux-goldfish (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-mako - 3.4.0-5.34

---------------
linux-mako (3.4.0-5.34) utopic; urgency=low

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot
    - LP: #1362199

  [ Tyler Hicks ]

  * Revert "SAUCE: (no-up) apparmor: fix disconnected bind mnts
    reconnection"
  * Revert "SAUCE: (no-up) apparmor fix: remove unused cxt var for
    unix_sendmsg"
  * Revert "SAUCE: (no-up) apparmor: use custom write_is_locked macro"
  * Revert "SAUCE: (no-up) apparmor: fix bug that constantly spam the
    console"
  * Revert "SAUCE: (no-up) apparmor: fix apparmor refcount bug in
    apparmor_kill"
  * Revert "SAUCE: (no-up) apparmor: fix refcount bug in apparmor
    pivotroot"
  * Revert "SAUCE: (no-up) apparmor: fix apparmor spams log with warning
    message"
  * Revert "SAUCE: (no-ip) apparmor: update configs for apparmor 3 alpha 6"
  * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 6 snapshot"
  * SAUCE: (no-up) apparmor: update configs for apparmor 3 - RC1
 -- Tim Gardner <email address hidden> Fri, 19 Sep 2014 10:17:31 -0600

Changed in linux-mako (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-manta - 3.4.0-6.29

---------------
linux-manta (3.4.0-6.29) utopic; urgency=low

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot
    - LP: #1362199

  [ Tim Gardner ]

  * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 6 snapshot"

  [ Tyler Hicks ]

  * Revert "SAUCE: (no-up) apparmor: fix disconnected bind mnts
    reconnection"
  * Revert "SAUCE: (no-up) apparmor fix: remove unused cxt var for
    unix_sendmsg"
  * Revert "SAUCE: (no-up) apparmor: use custom write_is_locked macro"
  * Revert "SAUCE: (no-up) apparmor: fix bug that constantly spam the
    console"
  * Revert "SAUCE: (no-up) apparmor: fix apparmor refcount bug in
    apparmor_kill"
  * Revert "SAUCE: (no-up) apparmor: fix refcount bug in apparmor
    pivotroot"
  * Revert "SAUCE: (no-up) apparmor: fix apparmor spams log with warning
    message"
 -- Tim Gardner <email address hidden> Fri, 19 Sep 2014 10:35:55 -0600

Changed in linux-manta (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-flo - 3.4.0-3.15

---------------
linux-flo (3.4.0-3.15) utopic; urgency=low

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Sync to apparmor3 - RC1 snapshot
    - LP: #1362199

  [ Tim Gardner ]

  * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 6 snapshot"

  [ Tyler Hicks ]

  * Revert "SAUCE: (no-up) apparmor: fix disconnected bind mnts
    reconnection"
  * Revert "SAUCE: (no-up) apparmor fix: remove unused cxt var for
    unix_sendmsg"
  * Revert "SAUCE: (no-up) apparmor: use custom write_is_locked macro"
  * Revert "SAUCE: (no-up) apparmor: fix bug that constantly spam the
    console"
  * Revert "SAUCE: (no-up) apparmor: fix apparmor refcount bug in
    apparmor_kill"
  * Revert "SAUCE: (no-up) apparmor: fix refcount bug in apparmor
    pivotroot"
  * Revert "SAUCE: (no-up) apparmor: fix apparmor spams log with warning
    message"
 -- Tim Gardner <email address hidden> Fri, 19 Sep 2014 09:27:59 -0600

Changed in linux-flo (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers