AppArmor profile transition changes required by Linux kernel fix for CVE-2019-11190

Bug #1830802 reported by Tyler Hicks on 2019-05-28
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

[Impact]

* As discussed in bug #1628745, the following kernel commit changes
  AppArmor mediation behavior on exec transitions:

   commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
   Author: Linus Torvalds <email address hidden>
   Date: Mon Aug 22 16:41:46 2016 -0700

       binfmt_elf: switch to new creds when switching to new mm

* This change made its way into the Xenial kernel that's currently in
  xenial-proposed (4.4.0-149.175-generic) as it fixes CVE-2019-11190.

* jdstrand identified a couple missing fixes that are needed from the
  AppArmor tree:

  d8278f51ecb3c736d697fa367faf99457210a7d8
  7a49f37c2481f761f8304712aa380acddfdb6303

[Test Case]

For the dnsmasq change in apparmor-profiles,

1) Install libvirt-bin and apparmor-profiles
2) Install linux 4.4.0-149.175 from xenial-proposed
3) Reboot
4) Ensure that there is *NOT* an ALLOWED message like this:

 $ dmesg | grep ALLOWED
 apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/dnsmasq//libvirt_leaseshelper" name="/usr/lib/libvirt/libvirt_leaseshelper" pid=1533 comm="libvirt_leasesh" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Note that you can retrigger the operations that trigger this AppArmor
message by running the following command:

 $ sudo virsh net-destroy default && sudo virsh net-start default

For the aa.py change in apparmor-utils,

1) Install apparmor-utils
2) Create a file named test.log containing the following denial:

[13622.935258] audit: type=1400 audit(1559071991.542:67): apparmor="DENIED" operation="exec" profile="xargs" name="/bin/echo" pid=2950 comm="xargs" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

3) Run the following command:

 $ sudo aa-logprof -f test.log

4) You'll be prompted to make a decision on what to do about the
   /bin/echo execute denial. Press (I)nherit.

5) Now press (V)iew Changes. Ensure that the 'm' permission is included
   in the added line:

   + /bin/echo mrix,

[Regression Potential]

The dnsmasq profile change adds permissions to the child profile.
There's really no chance of regression involved there.

The aa.py change adds the 'm' permission to the allowed permissions of a
binary on ix transitions. While there is a code change involved, it is a
small change and the resulting profile output involved no risk of
regression.

CVE References

Tyler Hicks (tyhicks) on 2019-05-28
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.11

---------------
apparmor (2.10.95-0ubuntu2.11) xenial-security; urgency=medium

  * Make dnsmasq profile and Python utility changes necessary to continue
    working correctly after the Linux kernel change to address CVE-2019-11190.
    Without these changes, some profile transitions may be unintentionally
    denied. (LP: #1830802)
    - 0001-dnsmasq-allow-libvirt_leaseshelper-m-permission-on-i.patch
    - 0001-handle_children-automatically-add-m-permissions-on-i.patch

 -- Tyler Hicks <email address hidden> Tue, 28 May 2019 21:33:21 +0000

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers