/usr/share/ca-certificates is missing from /etc/apparmor.d/abstractions/ssl_certs

Bug #605835 reported by Sergey Svishchev on 2010-07-15
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Jamie Strandboge
Lucid
Undecided
Unassigned

Bug Description

SRU Justification

1. impact of the bug is low for stable releases, but the fix is non-intrusive. It is included here as part of the 2.5.1 update for Lucid (LP: #660077)

2. This has been addressed during the maverick development cycle.

3. Patch adds read access to /usr/share/ca-certificates/ and /usr/share/ca-certificates/**

4. TEST CASE:

The test case is not straightforward as default configurations of applications in Ubuntu are not affected. While a contrived script and profile could be constructed, simply regenerating a profile that uses the ssl_certs abstraction should be enough to prove that there are no regressions (ie, the parser will fail with syntax errors). As such:
$ grep ssl_certs /etc/apparmor.d/usr.bin.firefox
    #include <abstractions/ssl_certs>
    #include <abstractions/ssl_certs>
$ grep 'ca-certificates' /etc/apparmor.d/abstractions/ssl_certs
  /usr/share/ca-certificates/ r,
  /usr/share/ca-certificates/** r,
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.firefox

5. The regression potential is very low for this patch as it only adds additional access for ca-certificates

Binary package hint: apparmor

This breaks, for example, openldap with syncrepl replication and private CA:

http://ubuntuforums.org/showthread.php?t=913791

Related branches

Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. I'll get this fixed up.

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → In Progress
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1~pre1393-0ubuntu5

---------------
apparmor (2.5.1~pre1393-0ubuntu5) maverick; urgency=low

  * debian/patches/0007-lp605835.patch: allow ca-certificates in ssl_certs
    abstraction (LP: #605835)
  * debian/patches/0008-lp601583.patch: adjust X abstraction for newer gdm
    (LP: #601583)
  * debian/patches/0009-lp565753.patch: add ubuntu-feed-readers abstraction
    and have ubuntu-browsers.d/multimedia use it (LP: #565753)
  * debian/apparmor.config: don't try to read in the existing value from
    /etc/apparmor.d/tunables/home.d/ubuntu, but instead always use what is
    in debconf. (LP: #561694)
  * add aa-update-browser for giving a programmatic way to update browser
    profiles to use browser abstractions
    - add debian/aa-update-browser
    - add debian/aa-update-browser.8
    - debian/rules: install aa-update-browser*
  * debian/patches/0003-ubuntu-browsers-d.patch: updated to generalize java
    child profile names
  * debian/patches/0010-fix-release.patch: update common/Make.rules to use
    Canonical Ltd in generated documentation
 -- Jamie Strandboge <email address hidden> Wed, 11 Aug 2010 09:24:23 -0500

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) wrote :

A fix for this issue in lucid has been committed to https://code.launchpad.net/~ubuntu-core-dev/apparmor/lucid ; however, it has not yet been accepted into lucid-proposed as part of the Stable Release Updates (SRU) process.

Steve Beattie (sbeattie) on 2010-11-01
Changed in apparmor (Ubuntu Lucid):
status: New → In Progress
description: updated

Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in apparmor (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: added: verification-needed
Sergey Svishchev (svs) wrote :

Shouldn't a third party do the verification? Recent post [1] to ubuntu-server@ says so. (This bug is missing from their list, by the way.)

[1] http://article.gmane.org/gmane.linux.ubuntu.server/4730

Jamie Strandboge (jdstrand) wrote :

Upgraded to 2.5.1-0ubuntu0.10.04.1 in lucid-proposed and this issue is resolved.

Martin Pitt (pitti) on 2010-12-14
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

---------------
apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    release):
    - don't ship aa-update-browser and its man page (requires
      0004-ubuntu-abstractions-updates.patch)
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
    0002-add-chromium-browser.patch
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put ...

Changed in apparmor (Ubuntu Lucid):
status: Fix Committed → Fix Released
tags: added: testcase
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers