change to unconfined by name fails

Bug #978038 reported by John Johansen on 2012-04-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linux
Medium
auto-john.johansen
apparmor (Ubuntu)
Undecided
John Johansen
Precise
Undecided
John Johansen
Quantal
Undecided
John Johansen
linux (Ubuntu)
Undecided
John Johansen
Precise
Undecided
John Johansen
Quantal
Undecided
John Johansen

Bug Description

== Precise SRU Justification ==

Application trying to leave confinement when they are allowed fail, causing cascading failures. This is affecting LXC where the system is confining the container and tries to drop confinement.

== Fix ==

Commit bf83208e0b7f5938f5a7f6d9dfa9960bf04692fa from security/next queue for 3.5 kernel fixes the issue

== Impact ==

With out this fix some uses of LXC experience failures that the user must work around by disabling the apparmor profile for LXC.

== Test Case ==

   Run tests in from the updated apparmor regression test suite in qrt.

or manually

  create a confined shell, containing the rule
    change_profile -> **,
  from the confined shell call
    aa-exec -p unconfined
  without the patch this will fail, reporting that the profile could not be found

When a task is confined by an apparmor profile and specifies a change to "unconfined" by name the transition fails even though it is allowed by policy. The failure can be replicated by using any of the following mechanisms,

  self directed transitions using change_profile, change_onexec with the correct change_profile rule
    change_profile -> unconfined,

  px, cx named profile transitions
     /example px -> unconfined,

  This is particularly problematic for transitions to a new namespace.
    /example px -> :new_ns:unconfined,

Changed in apparmor (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
Changed in linux:
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3

---------------
apparmor (2.7.102-0ubuntu3) precise; urgency=low

  [ Jamie Strandboge ]
  * debian/patches/0007-ubuntu-manpage-updates.patch: update apparmor(5)
    to describe Ubuntu's two-stage policy load and how to add utilize it
    when developing policy (LP: #974089)

  [ Serge Hallyn ]
  * debian/apparmor.init: do nothing in a container. This can be
    removed once stacked profiles are supported and used by lxc.
    (LP: #978297)

  [ Steve Beattie ]
  * debian/patches/0008-apparmor-lp963756.patch: Fix permission mapping
    for change_profile onexec (LP: #963756)
  * debian/patches/0009-apparmor-lp959560-part1.patch,
    debian/patches/0010-apparmor-lp959560-part2.patch: Update the parser
    to support the 'in' keyword for value lists, and make mount
    operations aware of 'in' keyword so they can affect the flags build
    list (LP: #959560)
  * debian/patches/0011-apparmor-lp872446.patch: fix logprof missing
    exec events in complain mode (LP: #872446)
  * debian/patches/0012-apparmor-lp978584.patch: allow inet6 access in
    dovecot imap-login profile (LP: #978584)
  * debian/patches/0013-apparmor-lp800826.patch: fix libapparmor
    log parsing library from dropping apparmor network events that
    contain ip addresses or ports in them (LP: #800826)
  * debian/patches/0014-apparmor-lp979095.patch: document new mount rule
    syntax and usage in apparmor.d(5) manpage (LP: #979095)
  * debian/patches/0015-apparmor-lp963756.patch: Fix change_onexec
    for profiles without attachment specification (LP: #963756,
    LP: #978038)
  * debian/patches/0016-apparmor-lp968956.patch: Fix protocol error when
    loading policy to kernels without compat patches (LP: #968956)
  * debian/patches/0017-apparmor-lp979135.patch: Fix change_profile to
    grant access to /proc/attr api (LP: #979135)
 -- Steve Beattie <email address hidden> Thu, 12 Apr 2012 06:17:42 -0500

Changed in apparmor (Ubuntu):
status: New → Fix Released
Changed in linux:
status: New → Invalid
Changed in linux (Ubuntu):
status: New → In Progress
Changed in linux (Ubuntu Precise):
status: New → In Progress
Changed in apparmor (Ubuntu Precise):
status: New → Fix Released
assignee: nobody → John Johansen (jjohansen)
Changed in linux (Ubuntu Precise):
assignee: nobody → John Johansen (jjohansen)
Changed in linux (Ubuntu Quantal):
assignee: nobody → John Johansen (jjohansen)
description: updated
Tim Gardner (timg-tpi) on 2012-05-22
Changed in linux (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Quantal):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.4.0-3.8

---------------
linux (3.4.0-3.8) quantal; urgency=low

  [ Andy Whitcroft ]

  * [Config] include include/generated/compile.h
    - LP: #942569
  * [Config] fix up postinst to ensure we know which error is which
    - LP: #1002388

  [ Herton Ronaldo Krzesinski ]

  * SAUCE: async_populate_rootfs: fix build warnings
    - LP: #1003417

  [ John Johansen ]

  * Revert "SAUCE: AppArmor: Add the ability to mediate mount"
  * SAUCE: apparmor: Add the ability to mediate mount
  * SAUCE: AppArmor: basic networking rules
  * SAUCE: apparmor: fix profile lookup for unconfined
    - LP: #978038, #987371
  * SAUCE: apparmor: fix long path failure due to disconnected path
    - LP: #955892

  [ Mario Limonciello ]

  * SAUCE: dell-laptop: rfkill blacklist Dell XPS 13z, 15
    - LP: #901410

  [ Stefan Bader ]

  * (config) Built-in xen-acpi-processor

  [ Tim Gardner ]

  * [Config] CONFIG_NET_DSA=m
    - LP: #1004148
  * [Config] Ensure CONFIG_XEN_ACPI_PROCESSOR=y for amd64
 -- Leann Ogasawara <email address hidden> Fri, 25 May 2012 11:38:33 -0700

Changed in linux (Ubuntu Quantal):
status: Fix Committed → Fix Released
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel for precise in -proposed solves the problem (3.2.0-25.40). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise
tags: added: verification-done-precise
removed: verification-needed-precise
Launchpad Janitor (janitor) wrote :
Download full text (21.0 KiB)

This bug was fixed in the package linux - 3.2.0-25.40

---------------
linux (3.2.0-25.40) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1003534

  [ Andy Whitcroft ]

  * [Config] control.stub is an intermediate product not a dependancy
    - LP: #992414
  * [Config] include include/generated/compile.h
    - LP: #942569

  [ Dave Martin ]

  * SAUCE: rtc: pl031: Enable module alias autogeneration for AMBA drivers
    - LP: #1000831

  [ Herton Ronaldo Krzesinski ]

  * Revert "SAUCE: ite-cir: postpone ISR registration"
    - LP: #1002484
  * SAUCE: async_populate_rootfs: fix build warnings
    - LP: #1003417

  [ Ike Panhc ]

  * [Config] add highbank flavour
    - LP: #1000831

  [ John Johansen ]

  * SAUCE: apparmor: fix long path failure due to disconnected path
    - LP: #955892
  * SAUCE: apparmor: fix profile lookup for unconfined
    - LP: #978038, #987371

  [ Mark Langsdorf ]

  * SAUCE: arm highbank: add support for pl320-ipc driver
    - LP: #1000831

  [ Rob Herring ]

  * SAUCE: input: add a key driver for highbank
    - LP: #1000831
  * SAUCE: ARM: highbank: Add smc calls to enable/disable the L2
    - LP: #1000831
  * SAUCE: force DMA buffers to non-bufferable on highbank
    - LP: #1000831
  * SAUCE: net: calxedaxgmac: fix net timeout recovery
    - LP: #1000831

  [ Tim Gardner ]

  * [Config] perarch and indep tools builds need separate build directories
  * [Config] CONFIG_XEN_ACPI_PROCESSOR=y
    - LP: #898112

  [ Upstream Kernel Changes ]

  * Revert "autofs: work around unhappy compat problem on x86-64"
    - LP: #1002482
  * Input: wacom - cleanup feature report for bamboos
    - LP: #568064
  * Input: wacom - remove unused bamboo HID parsing
    - LP: #568064
  * Input: wacom - add some comments to wacom_parse_hid
    - LP: #568064
  * Input: wacom - relax Bamboo stylus ID check
    - LP: #568064
  * Input: wacom - read 3rd gen Bamboo Touch HID data
    - LP: #568064
  * Input: wacom - 3rd gen Bamboo P&Touch packet support
    - LP: #568064
  * Input: wacom - ignore unwanted bamboo packets
    - LP: #568064
  * HID: wacom: Move parsing to a separate function
    - LP: #568064
  * HID: wacom: Initial driver for Wacom Intuos4 Wireless (Bluetooth)
    - LP: #568064
  * Input: wacom - add support for Cintiq 24HD
    - LP: #568064
  * Input: wacom - add LED support for Cintiq 24HD
    - LP: #568064
  * Input: wacom - add missing LEDS_CLASS to Kconfig
    - LP: #568064
  * Input: wacom - fix 3rd-gen Bamboo MT when 4+ fingers are in use
    - LP: #568064
  * power_supply: allow a power supply to explicitly point to powered
    device
    - LP: #568064
  * power_supply: add "powers" links to self-powered HID devices
    - LP: #568064
  * HID: wiimote: fix invalid power_supply_powers call
    - LP: #568064
  * HID: wacom: Fix invalid power_supply_powers calls
    - LP: #568064
  * ARM: 7178/1: fault.c: Port OOM changes into do_page_fault
    - LP: #951043
  * ARM: 7368/1: fault.c: correct how the tsk->[maj|min]_flt gets
    incremented
    - LP: #951043
  * hugepages: fix use after free bug in "quota" handling
    - LP: #990368
    - CVE-2012-2133
  * provide disable_cpufreq() functio...

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

  • auto-john.johansen Edit

Bug watches keep track of this bug in other bug trackers.