Policy needs improved feature versioning to ensure it is correctly being applied

Bug #1728130 reported by John Johansen
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Confirmed
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned

Bug Description

[ Impact ]

Currently allows pinning a single feature abi or running in a developer mode where the full abi available of the current kernel is enforced.

However this can result in breaking applications in undesirable ways.

If an application is shipped with its own policy, that policy might be different than the pinned feature abi, which can either result in denials because features the policy was not developed for are being enforced.

If the feature version is not pinned then the most recent kernel abi is taken and applied to policy, which has not been updated. This can result in denials for userspace effectively breaking userspace. This is less than ideal for most users as it leads to a bad experience than they have not opted into and can lead to them disabling security protections.

[ Test Plan ]

The test can be done with several features. Here we are using mqueue as an example.
Verify that the kernel that has mqueue mediation support:
root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] && echo "supports mqueue"
supports mqueue

cd /tmp
pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
cd apparmor-2.13.3/tests/regression/apparmor/
USE_SYSTEM=1 make

Using the parser from the mqueue-sru PPA, load the profile.
echo "
abi <kernel>,
include <tunables/global>
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
  include <abstractions/base>
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r

Run the test, which should fail.
./posix_mq_rcv -c ./posix_mq_snd
FAIL - could not open mq: Permission denied

Now use an abi that does not have mqueue. This simulates a scenario where a policy was developed before mqueue support was added, so posix message queues should be allowed by default.

echo "
abi <abi/2.13>,
include <tunables/global>
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
  include <abstractions/base>
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r

Run the test again, it should pass.
./posix_mq_rcv -c ./posix_mq_snd
PASS

[ Where problems could occur ]

ABI pinning forces policies that don't have abi specified in their profile to use the ABI pinned in parser.conf. When the ABI is pinned and the user is trying to use mediation that is not in the pinned ABI, they might be confused why it is always being allowed. This can be circumvented by specifying the correct abi in the profile.

[ Other Info ]

The patches for focal (apparmor-2.13) can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
apparmor-3.0 already has this feature.

Revision history for this message
Georgia Garcia (georgiag) wrote :

This feature is required by Bug 1993353.

Revision history for this message
Chris Halse Rogers (raof) wrote :

This is missing the SRU template information.

Particularly: what is the test plan to verify (a) that this does what we need, and (b) doesn't accidentally break existing apparmor profiles?

description: updated
Revision history for this message
Georgia Garcia (georgiag) wrote :

Chris, I updated the description with the SRU template information.

The test plan shows this does what we need:

1. feature is in kernel, abi set in policy is kernel, and policy does not have permission: execution fails with permission denied.
2. abi set in policy does not contain feature, and policy does not have permission: execution is allowed.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello John, or anyone else affected,

Accepted apparmor into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.13.3-7ubuntu5.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apparmor (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (apparmor/2.13.3-7ubuntu5.2)

All autopkgtests for the newly accepted apparmor (2.13.3-7ubuntu5.2) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

libreoffice/1:6.4.7-0ubuntu0.20.04.6 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#apparmor

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Georgia Garcia (georgiag) wrote :

Verification done. The autopkgtest failure for libreoffice was a temporary issue with the test infrastructure that passed when it was retriggered.

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

### VERIFICATION DONE FOCAL ###

sudo add-apt-repository ppa:apparmor-dev/mqueue-dev
sudo apt update

# exchange keypair ssh
scp linux-* ubuntu@x.x.x.x:~

sudo dpkg -i linux*
sudo apt --fix-broken install

# edit /etc/default/grub
GRUB_DEFAULT='Advanced options for Ubuntu>Ubuntu, with Linux 5.4.0-131-generic'
sudo update-grub

restart/reboot machine

sudo apt-get upgrade apparmor

# go find menu entry and update grub
/boot/boot.cfg
# menuentry 'Ubuntu, with Linux 5.4.0-131-generic'

# execute command
GRUB_DEFAULT='Advanced options for Ubuntu>Ubuntu, with Linux 5.4.0-131-generic'

# should output
supports mqueue

sudo apt install ubuntu-dev-tools -y

pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal

sudo apt-get install autoconf libtool -y

cd ./libraries/libapparmor/

./autogen.sh

export PYTHONPATH=/tmp/apparmor-2.13.3/libraries/libapparmor/swig/python
export PYTHON=/usr/bin/python3
export PYTHON_VERSION=3
export PYTHON_VERSIONS=python3
export USE_SYSTEM=1 make

./configure

sudo apt-get install flex dejagnu

make

sudo make check

sudo make install

cd binutils
make
make check
make install

cd ./libraries/libapparmor
sh ./autogen.sh
sh ./configure
make
make check
make install

cd parser
$ make # depends on libapparmor having been built first
$ make check

# run unit tests
cd /tests/regession/apparmor/
sudo make tests

sudo su

echo "
abi <kernel>,
include <tunables/global>
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
  include <abstractions/base>
  /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r

# run command
./posix_mq_rcv -c ./posix_mq_snd
FAIL - could not open mq: Permission denied
# we see this fail error

# make sure there is enough permissions to execute
sudo chmod 777 posix_mq_rcv

./posix_mq_rcv -c ./posix_mq_snd
PASS

### VERIFICATION DONE FOCAL ###

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

*Note I have not done any extra testing outside of the testing steps listed, which it would probably be a good idea to do so.

Revision history for this message
Georgia Garcia (georgiag) wrote :

Thank you for validating the test, Heather.

In addition to the ABI validation, I also ran the AppArmor tests using the QA Regression Test suite (https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py). It includes tests for LibAppArmor, the parser, and all regression tests. They all worked as expected.

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

Great! Thank you Georgia.

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

Is this issue blocked by something?

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.2 KiB)

This bug was fixed in the package apparmor - 2.13.3-7ubuntu5.2

---------------
apparmor (2.13.3-7ubuntu5.2) focal; urgency=medium

  * Add capability upstream patches to fix LP: #1964636
    - u/cap1-Generate-CAPABILITIES-in-a-script-due-to-make-4.3.patch: move
    code that generates a list of capabilities to a script in common/
    - u/cap2-parser-Move-to-a-pre-generated-cap_names.h.patch: use a
    pre-generated list of capabilities so that all capabilities are
    supported even when building against older kernels.
    - u/cap3-parser-cleanup-capability_table-generation-by-droppi.patch: drop
    sys_log static declaration because it's already in the generated list.
    - u/cap4-parser-unify-capability-name-handling.patch: drop internal
    hardcoded capability table.
    - u/cap5-parser-Makefile-use-LC_ALL-C-when-invoking-sed.patch: use
    LC_ALL=C when invoking sed.
    - u/cap6-parser-Add-warning-to-capability_table-about-the-nee.patch: add
    warning to capability_table about the need to update the Makefile.
    - u/cap7-Add-CAP_BPF-and-CAP_PERFMON-to-severity.db.patch: add
    support for cap_bpf and cap_perfmon
    - u/cap8-parser-Makefile-fix-generated-cap-comparison-against.patch: fix
    generated cap comparison against known list
  * Add upstream patches for abi support. LP: #1728130
    - u/abi1-parser-feature-abi-setup-parser-to-intersect-policy-.patch: add
    the ability to intersect parser and kernel features in the parser.
    - u/abi2-parser-add-basic-support-for-feature-abis.patch: add support
    to specify a feature abi.
    - u/abi3-pin-abi-2.13.patch: add and pin a policy abi for 2.13
    - u/abi4-parser-fix-abi-rule-and-pinned-feature-file-interact.patch: fix
    abi rule and pinned feature file interaction
    - apparmor.install: add 2.13 abi file to be installed in /etc/apparmor.d/abi/
  * Add mqueue patches. LP: #1993353
    - u/mqueue1-parser-add-parser-support-for-message-queue-mediatio.patch:
    add parser support for mqueue mediation
    - u/mqueue2-tests-add-posix-message-queue-regression-tests.patch: add
    posix mqueue regression tests
    - u/mqueue3-utils-add-message-queue-rules-parsing-in-python-tool.patch:
    add support in python tools to parse mqueue rules
    - u/mqueue4-parser-add-parser-simple-tests-for-mqueue-rules.patch: add
    parser simple tests for mqueue
    - u/mqueue5-parser-place-perm-on-name-as-well-as-name-label-comb.patch:
    add permissions on name and also on name + label
    - u/mqueue6-libapparmor-add-support-for-requested-and-denied-on-.patch:
    add parsing support for "denied" and "requested" from audit logs
    - u/mqueue7-libapparmor-add-support-for-class-in-logparsing.patch: add
    parsing support for "class" from audit logs
    - u/mqueue8-utils-add-logparser-support-for-mqueue.patch: add logparser
    support for mqueue rules
    - u/mqueue9-tests-add-sysv-message-queue-regression-tests.patch: add
    sysv mqueue regression tests
    - u/mqueue10-parser-enable-mqueue-rules-when-abi-is-not-set.patch:
    override pinned features for mqueue rules when abi is not set in policy.
    - debian/rules: create mqueue testcase empty files for libapparmor tests.
  * Closes LP...

Read more...

Changed in apparmor (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for apparmor has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.