base abstraction missing glibc /proc/$pid/ things

Bug #1658239 reported by Kees Cook
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Status tracked in Master
Fix Released
Fix Released
Fix Released
Fix Released
apparmor (Ubuntu)
Fix Released

Bug Description

There are yet more glibc-needed files missing from the base abstraction:

--- base 2017-01-20 15:37:50.000000000 -0800
+++ /etc/apparmor.d/abstractions/base 2016-12-06 14:13:58.000000000 -0800
@@ -92,7 +92,7 @@
   /sys/devices/system/cpu/online r,

   # glibc's *printf protections read the maps file
- @{PROC}/@{pid}/maps r,
+ @{PROC}/@{pid}/{maps,auxv,status} r,

   # libgcrypt reads some flags from /proc
   @{PROC}/sys/crypto/* r,

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Committed revision 3626.
Committed revision 3382.
Committed revision 3047.


Revision history for this message
Robie Basak (racb) wrote :

There are some reports of this affecting Xenial users with mysql-5.7. See bug 1610765. I'm not sure how to reproduce though.

Revision history for this message
Lars Tangvald (lars-tangvald) wrote :

For mysql 5.7 I've also seen an error for this in syslog (including fairly old logs), but apparently without causing any noticeable issues with the running of the server. So I don't think it's critical, but it does cause confusing noise in other bug reports.

Revision history for this message
Lars Tangvald (lars-tangvald) wrote :

For MySQL the call to proc/pid/status is done as part of a check to ensure no other processes are using the same socket file, so it affects the server's ability to detect an invalid configuration.

Revision history for this message
Kyle Bygott (hbygott) wrote :

Drats-in attempting to see the actual commit changes (don't know my way around launchpad) so I can apply changes to my server while waiting for release, I accidentally changed master status to released and now it won't let me change it back to fix committed.

I'm surprised it let me change it. I guess I'll quit clicking buttons now, but can somebody with appropriate permissions change back? Thanks, and apologies. I may just log out if such mistakes are possible!

Revision history for this message
Christian Boltz (cboltz) wrote :

no worries, I changed it back ;-)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu1

apparmor (2.12-4ubuntu1) bionic; urgency=medium

  [ Tyler Hicks ]
  * Merge from Debian to get gbp-pq related packaging improvements. Thanks to
    intrigeri for making those improvements! Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
    - Feature pinning is not used in Ubuntu

  [ intrigeri ]
  * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
    the Ubuntu packaging is maintained.

apparmor (2.12-4) unstable; urgency=medium

  * Migrate patch handling to gbp-pq (Closes: #888244).
  * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
    - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
      new patch, properly identify empty ouid/fsuid fields in logs.
    - upstream-commit-130958a-allow-shell-helper-read-locale.patch:
      new patch, allow the shell helper regression test program read
      the locale.

 -- Tyler Hicks <email address hidden> Mon, 19 Mar 2018 16:24:57 +0000

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.