Update profiles for usrmerge

Bug #1784023 reported by Dimitri John Ledkov on 2018-07-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
apparmor-profiles-extra (Ubuntu)
Undecided
Unassigned
dhcpcanon (Ubuntu)
Undecided
Unassigned
ejabberd (Ubuntu)
Undecided
Unassigned
firefox (Ubuntu)
Undecided
Unassigned
fwknop (Ubuntu)
Undecided
Unassigned
i2p (Ubuntu)
Undecided
Unassigned
isc-dhcp (Ubuntu)
Undecided
Unassigned
kopanocore (Ubuntu)
Undecided
Unassigned
libvirt (Ubuntu)
Medium
Christian Ehrhardt 
lightdm (Ubuntu)
Undecided
Unassigned
lightdm-remote-session-freerdp2 (Ubuntu)
Undecided
Unassigned
lightdm-remote-session-x2go (Ubuntu)
Undecided
Unassigned
man-db (Ubuntu)
Undecided
Unassigned
strongswan (Debian)
Fix Released
Unknown
strongswan (Ubuntu)
Undecided
Unassigned
surf (Ubuntu)
Undecided
Unassigned
telepathy-mission-control-5 (Ubuntu)
Undecided
Unassigned

Bug Description

this is about / and /usr merge.

/bin & /sbin merge is out of scope. Anything that was in /sbin/ will remain in /{,usr/}sbin/.

= src:apparmor =
usr.bin.chromium-browser appears to be out of date w.r.t. apparmor-profiles upstream git tree

/usr/share/apparmor/extra-profiles/usr.sbin.useradd needs update upstream https://gitlab.com/apparmor/apparmor/merge_requests/152/diffs

= other packages =

Slightly more complete list: https://paste.ubuntu.com/p/4zDJ8mTc5Z/

$ sudo grep '[[:space:]]/bin' -r .
./usr.bin.man: /bin/bzip2 rmCx -> &man_filter,
./usr.bin.man: /bin/gzip rmCx -> &man_filter,
./usr.bin.man: /bin/bzip2 rm,
./usr.bin.man: /bin/gzip rm,
./usr.sbin.libvirtd: /bin/* PUx,
./abstractions/lightdm: /bin/ rmix,
./abstractions/lightdm: /bin/fusermount Px,
./abstractions/lightdm: /bin/** rmix,
./abstractions/libvirt-qemu: /bin/uname rmix,
./abstractions/libvirt-qemu: /bin/grep rmix,
./usr.bin.chromium-browser: /bin/ps Uxr,
./usr.bin.chromium-browser: /bin/dash ixr,
./usr.bin.chromium-browser: /bin/grep ixr,
./usr.bin.chromium-browser: /bin/readlink ixr,
./usr.bin.chromium-browser: /bin/sed ixr,
./usr.bin.chromium-browser: /bin/which ixr,
./usr.bin.chromium-browser: /bin/mkdir ixr,
./usr.bin.chromium-browser: /bin/mv ixr,
./usr.bin.chromium-browser: /bin/touch ixr,
./usr.bin.chromium-browser: /bin/dash ixr,
./usr.bin.firefox: /bin/which ixr,
./usr.bin.firefox: /bin/ps Uxr,
./usr.bin.firefox: /bin/uname Uxr,
./usr.bin.firefox: /bin/dash ixr,
./sbin.dhclient: /bin/bash mr,

$ sudo grep '[[:space:]]/sbin' -r .
./usr.lib.telepathy: deny /sbin/ldconfig x,
./usr.sbin.libvirtd: /sbin/* PUx,
./abstractions/lightdm: /sbin/ r,
./abstractions/lightdm: /sbin/** rmixk,
./usr.bin.firefox: /sbin/killall5 ixr,
./sbin.dhclient: /sbin/dhclient mr,
./sbin.dhclient: # daemon to run arbitrary code via /sbin/dhclient-script, it would need to be
./sbin.dhclient: /sbin/dhclient-script Uxr,

$ sudo grep '[[:space:]]/lib' -r .
./snap.core.4917.usr.lib.snapd.snap-confine: /lib/udev/snappy-app-dev ixr, # drop
./usr.lib.snapd.snap-confine.real: /lib/udev/snappy-app-dev ixr, # drop
./abstractions/lightdm: /lib/ r,
./abstractions/lightdm: /lib/** rmixk,
./abstractions/lightdm: /lib32/ r,
./abstractions/lightdm: /lib32/** rmixk,
./abstractions/lightdm: /lib64/ r,
./abstractions/lightdm: /lib64/** rmixk,
./usr.bin.chromium-browser: /lib/libgcc_s.so* mr,
./usr.bin.chromium-browser: /lib/@{multiarch}/libgcc_s.so* mr,
./usr.bin.chromium-browser: /lib{,32,64}/libm-*.so* mr,
./usr.bin.chromium-browser: /lib/@{multiarch}/libm-*.so* mr,
./usr.bin.chromium-browser: /lib{,32,64}/libpthread-*.so* mr,
./usr.bin.chromium-browser: /lib/@{multiarch}/libpthread-*.so* mr,
./usr.bin.chromium-browser: /lib{,32,64}/libc-*.so* mr,
./usr.bin.chromium-browser: /lib/@{multiarch}/libc-*.so* mr,
./usr.bin.chromium-browser: /lib{,32,64}/libld-*.so* mr,
./usr.bin.chromium-browser: /lib/@{multiarch}/libld-*.so* mr,
./usr.bin.chromium-browser: /lib{,32,64}/ld-*.so* mr,
./usr.bin.chromium-browser: /lib/@{multiarch}/ld-*.so* mr,
./usr.bin.chromium-browser: /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
./usr.bin.chromium-browser: /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
./usr.bin.chromium-browser: /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,

above list might be incomplete

Related branches

CVE References

description: updated
Christian Boltz (cboltz) wrote :

> ./abstractions/lightdm: /bin/ rmix,

rmix permissions for a directory? That looks wrong to me, r permissions should be enough.

If https://wiki.debian.org/UsrMerge is what we follow here then the libvirt rules for:
 /sbin/* PUx and /bin/* PUx are ok, they already have /usr/bin/* and /usr/sbin/* present.
(part of a very lenient profile I know)
They are also not part of the Ubuntu Delta, so we can leave those rules as-is.

More interesting are the lines in abstractions/libvirt-qemu
Those are of a powerpc specific delta we carry and refer to just /bin at the moment.
   /bin/uname rmix,
   /bin/grep rmix,
I guess if we'd convert those two on the next merge to
   /{usr/,}bin/uname rmix,
   /{usr/,}bin/grep rmix,
we will be safe for the usr merge and still very backward compatible.
I'll do that as part of the coming cosmic libvirt merge which is blocked by a few other things (so it will take a bit).
But I'll call this packages task triaged and assign it to me.

Changed in libvirt (Ubuntu):
assignee: nobody →  Christian Ehrhardt  (paelzer)
importance: Undecided → Medium
status: New → Triaged
tags: added: libvirt-18.10
Dimitri John Ledkov (xnox) wrote :

To reduce unintentional breakage, I will try to upload a few of the above profiles with mostly mechanical fixes for usrmerge.

For example, re: rmix -> that's not something I can comment on, or would be comfortable changing myself.

Changed in man-db (Ubuntu):
status: New → In Progress
Changed in apparmor (Ubuntu):
status: New → In Progress
status: In Progress → New
Changed in isc-dhcp (Ubuntu):
status: New → Fix Committed
Changed in man-db (Ubuntu):
status: In Progress → Fix Committed
Changed in lightdm (Ubuntu):
status: New → In Progress
description: updated
Dimitri John Ledkov (xnox) wrote :
no longer affects: snapd (Ubuntu)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.3.5-3ubuntu8

---------------
isc-dhcp (4.3.5-3ubuntu8) cosmic; urgency=medium

  * Adjust apparmor profile for usrmerge. LP: #1784023

 -- Dimitri John Ledkov <email address hidden> Mon, 30 Jul 2018 14:30:57 +0100

Changed in isc-dhcp (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package man-db - 2.8.4-1ubuntu1

---------------
man-db (2.8.4-1ubuntu1) cosmic; urgency=medium

  * Adapt apparmor profile for usrmerge. LP: #1784023

 -- Dimitri John Ledkov <email address hidden> Mon, 30 Jul 2018 14:23:24 +0100

Changed in man-db (Ubuntu):
status: Fix Committed → Fix Released

For the strongswan change I filed a bug with Debian, I don't see an immediate need to add Delta for this.
@xnox: If there are serious deadlines involved you can obviously push the change, otherwise I'd wait for the next merge.

Changed in strongswan (Debian):
status: Unknown → New
Changed in apparmor (Ubuntu):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu7

---------------
apparmor (2.12-4ubuntu7) cosmic; urgency=medium

  * Cherry-pick upstream patch for usr-merge for useradd profile.
  * Update chromium-browser profile with latest from profiles project.
  * Fixes LP: #1784023

 -- Dimitri John Ledkov <email address hidden> Wed, 01 Aug 2018 15:20:51 +0100

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released

FYI - the libvirt change is in git, just needs a few other things and tests to be complete for an upload.

Launchpad Janitor (janitor) wrote :
Download full text (15.5 KiB)

This bug was fixed in the package libvirt - 4.6.0-2ubuntu1

---------------
libvirt (4.6.0-2ubuntu1) cosmic; urgency=medium

  * Merged with Debian unstable (LP: #1786957).
    Among many other new features and fixes this includes fixes
    for (LP: #1754871), Remaining changes:
    - Disable libssh2 support (universe dependency)
    - Disable firewalld support (universe dependency)
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Additional apport package-hook
    - Autostart default bridged network (As upstream does, but not Debian).
      In addition to just enabling it our solution provides:
      + do not autostart if subnet is already taken (e.g. in guests).
      + iterate some alternative subnets before giving up
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
      + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt
        group.
    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
    - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm
      which provided a separate kvm-spice.
    - Xen related
      - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The
        section that adapts the path of the emulator to the Debian/Ubuntu
        packaging is kept.
      - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto
        set VRAM to minimum requirements
      - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts
      - Add libxl log directory
      - libvirt-uri.sh: Automatically switch default libvirt URI for users on
        Xen dom0 via user profile (was missing on changelogs before)
    - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from
      included_files to avoid build failures due to duplicate definitions.
    - Update README.Debian with Ubuntu changes
    - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch.
    - Enable some additional features on ppc64el and s390x (for arch parity)
      + systemtap, zfs, numa and numad on s390x.
      + systemtap on ppc64el.
    - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
      vmlinuz available and accessible (Debian bug 848314)
    - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation
    - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04,
      no more UCA onto Xenial then which has global dnsmasq by default).
    - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
    - Further upstreamed apparmor Delta, especially any new one
      Our former delta is split into logical pieces and is either Ubuntu only
      or is part of a continuous upstreaming effort.
      Listing related remaining changes in debian/patches/ubuntu-aa/:
      + 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor:
        Allow pygrub to run on Debian/Ubuntu
      + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch:
        ...

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
Changed in lightdm (Ubuntu):
status: In Progress → Fix Committed
Changed in lightdm-remote-session-freerdp2 (Ubuntu):
status: New → In Progress
Changed in lightdm-remote-session-x2go (Ubuntu):
status: New → In Progress
Changed in strongswan (Ubuntu):
status: New → In Progress
Changed in telepathy-mission-control-5 (Ubuntu):
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm-remote-session-x2go - 0.0.2.0-2ubuntu1

---------------
lightdm-remote-session-x2go (0.0.2.0-2ubuntu1) cosmic; urgency=medium

  * Add support for usr-merge in the apparmor profile. (LP: #1784023)

 -- Dimitri John Ledkov <email address hidden> Tue, 21 Aug 2018 00:35:03 +0100

Changed in lightdm-remote-session-x2go (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm-remote-session-freerdp2 - 2.0.0-1ubuntu1

---------------
lightdm-remote-session-freerdp2 (2.0.0-1ubuntu1) cosmic; urgency=medium

  * Add support for usr-merge in the apparmor profile. (LP: #1784023)

 -- Dimitri John Ledkov <email address hidden> Tue, 21 Aug 2018 00:37:17 +0100

Changed in lightdm-remote-session-freerdp2 (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package telepathy-mission-control-5 - 1:5.16.4-2ubuntu2

---------------
telepathy-mission-control-5 (1:5.16.4-2ubuntu2) cosmic; urgency=medium

  * Add support for usr-merge in the apparmor profile. (LP: #1784023)

 -- Dimitri John Ledkov <email address hidden> Tue, 21 Aug 2018 00:48:49 +0100

Changed in telepathy-mission-control-5 (Ubuntu):
status: In Progress → Fix Released
Changed in firefox (Ubuntu):
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.6.2-2ubuntu2

---------------
strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium

  * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023

 -- Dimitri John Ledkov <email address hidden> Tue, 21 Aug 2018 00:42:38 +0100

Changed in strongswan (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.26.0-0ubuntu2

---------------
lightdm (1.26.0-0ubuntu2) cosmic; urgency=medium

  * Cherrypick upstream PR to add support for usr-merge in apparmor
    profile. LP: #1784023

 -- Dimitri John Ledkov <email address hidden> Tue, 21 Aug 2018 00:05:28 +0100

Changed in lightdm (Ubuntu):
status: Fix Committed → Fix Released
intrigeri (intrigeri) wrote :

I took a look because this appeared on the Debian package tracker for apparmor-profiles-extra. At least 1.24 (just uploaded to sid) seems to be OK. I've not checked older versions so I don't know when exactly the problem that affected this package (which seems unspecified here) was fixed. If there's anything left to fix in this package, please let me know :)

Changed in strongswan (Debian):
status: New → Fix Released
Reiner Herrmann (deki) wrote :

Fixed in 2.0+git20181009-2.

Changed in surf (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.