/usr/share/ca-certificates is missing from /etc/apparmor.d/abstractions/ssl_certs

Bug #605835 reported by Sergey Svishchev on 2010-07-15
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Jamie Strandboge

Bug Description

SRU Justification

1. impact of the bug is low for stable releases, but the fix is non-intrusive. It is included here as part of the 2.5.1 update for Lucid (LP: #660077)

2. This has been addressed during the maverick development cycle.

3. Patch adds read access to /usr/share/ca-certificates/ and /usr/share/ca-certificates/**


The test case is not straightforward as default configurations of applications in Ubuntu are not affected. While a contrived script and profile could be constructed, simply regenerating a profile that uses the ssl_certs abstraction should be enough to prove that there are no regressions (ie, the parser will fail with syntax errors). As such:
$ grep ssl_certs /etc/apparmor.d/usr.bin.firefox
    #include <abstractions/ssl_certs>
    #include <abstractions/ssl_certs>
$ grep 'ca-certificates' /etc/apparmor.d/abstractions/ssl_certs
  /usr/share/ca-certificates/ r,
  /usr/share/ca-certificates/** r,
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.firefox

5. The regression potential is very low for this patch as it only adds additional access for ca-certificates

Binary package hint: apparmor

This breaks, for example, openldap with syncrepl replication and private CA:


Related branches

Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. I'll get this fixed up.

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → In Progress
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1~pre1393-0ubuntu5

apparmor (2.5.1~pre1393-0ubuntu5) maverick; urgency=low

  * debian/patches/0007-lp605835.patch: allow ca-certificates in ssl_certs
    abstraction (LP: #605835)
  * debian/patches/0008-lp601583.patch: adjust X abstraction for newer gdm
    (LP: #601583)
  * debian/patches/0009-lp565753.patch: add ubuntu-feed-readers abstraction
    and have ubuntu-browsers.d/multimedia use it (LP: #565753)
  * debian/apparmor.config: don't try to read in the existing value from
    /etc/apparmor.d/tunables/home.d/ubuntu, but instead always use what is
    in debconf. (LP: #561694)
  * add aa-update-browser for giving a programmatic way to update browser
    profiles to use browser abstractions
    - add debian/aa-update-browser
    - add debian/aa-update-browser.8
    - debian/rules: install aa-update-browser*
  * debian/patches/0003-ubuntu-browsers-d.patch: updated to generalize java
    child profile names
  * debian/patches/0010-fix-release.patch: update common/Make.rules to use
    Canonical Ltd in generated documentation
 -- Jamie Strandboge <email address hidden> Wed, 11 Aug 2010 09:24:23 -0500

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) wrote :

A fix for this issue in lucid has been committed to https://code.launchpad.net/~ubuntu-core-dev/apparmor/lucid ; however, it has not yet been accepted into lucid-proposed as part of the Stable Release Updates (SRU) process.

Steve Beattie (sbeattie) on 2010-11-01
Changed in apparmor (Ubuntu Lucid):
status: New → In Progress
description: updated

Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in apparmor (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: added: verification-needed
Sergey Svishchev (svs) wrote :

Shouldn't a third party do the verification? Recent post [1] to ubuntu-server@ says so. (This bug is missing from their list, by the way.)

[1] http://article.gmane.org/gmane.linux.ubuntu.server/4730

Jamie Strandboge (jdstrand) wrote :

Upgraded to 2.5.1-0ubuntu0.10.04.1 in lucid-proposed and this issue is resolved.

Martin Pitt (pitti) on 2010-12-14
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    - don't ship aa-update-browser and its man page (requires
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put ...

Changed in apparmor (Ubuntu Lucid):
status: Fix Committed → Fix Released
tags: added: testcase
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers