base abstraction missing glibc /proc/$pid/ things

Bug #1658239 reported by Kees Cook on 2017-01-20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Status tracked in Master
apparmor (Ubuntu)

Bug Description

There are yet more glibc-needed files missing from the base abstraction:

--- base 2017-01-20 15:37:50.000000000 -0800
+++ /etc/apparmor.d/abstractions/base 2016-12-06 14:13:58.000000000 -0800
@@ -92,7 +92,7 @@
   /sys/devices/system/cpu/online r,

   # glibc's *printf protections read the maps file
- @{PROC}/@{pid}/maps r,
+ @{PROC}/@{pid}/{maps,auxv,status} r,

   # libgcrypt reads some flags from /proc
   @{PROC}/sys/crypto/* r,

Seth Arnold (seth-arnold) wrote :

Committed revision 3626.
Committed revision 3382.
Committed revision 3047.


Robie Basak (racb) wrote :

There are some reports of this affecting Xenial users with mysql-5.7. See bug 1610765. I'm not sure how to reproduce though.

Lars Tangvald (lars-tangvald) wrote :

For mysql 5.7 I've also seen an error for this in syslog (including fairly old logs), but apparently without causing any noticeable issues with the running of the server. So I don't think it's critical, but it does cause confusing noise in other bug reports.

Lars Tangvald (lars-tangvald) wrote :

For MySQL the call to proc/pid/status is done as part of a check to ensure no other processes are using the same socket file, so it affects the server's ability to detect an invalid configuration.

Kyle Bygott (hbygott) wrote :

Drats-in attempting to see the actual commit changes (don't know my way around launchpad) so I can apply changes to my server while waiting for release, I accidentally changed master status to released and now it won't let me change it back to fix committed.

I'm surprised it let me change it. I guess I'll quit clicking buttons now, but can somebody with appropriate permissions change back? Thanks, and apologies. I may just log out if such mistakes are possible!

Christian Boltz (cboltz) wrote :

no worries, I changed it back ;-)

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu1

apparmor (2.12-4ubuntu1) bionic; urgency=medium

  [ Tyler Hicks ]
  * Merge from Debian to get gbp-pq related packaging improvements. Thanks to
    intrigeri for making those improvements! Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
    - Feature pinning is not used in Ubuntu

  [ intrigeri ]
  * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
    the Ubuntu packaging is maintained.

apparmor (2.12-4) unstable; urgency=medium

  * Migrate patch handling to gbp-pq (Closes: #888244).
  * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
    - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
      new patch, properly identify empty ouid/fsuid fields in logs.
    - upstream-commit-130958a-allow-shell-helper-read-locale.patch:
      new patch, allow the shell helper regression test program read
      the locale.

 -- Tyler Hicks <email address hidden> Mon, 19 Mar 2018 16:24:57 +0000

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers