apparmor: does not provide a way to detect policy updataes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Incomplete
|
Undecided
|
Unassigned | ||
Yakkety |
Won't Fix
|
Undecided
|
Unassigned | ||
Zesty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
User space trusted helpers have no way to detect when policy changes have been loaded into the kernel. This prevents the applications from being able to cache permission queries. Currently trusted helpers have not done caching (wish list feature), however the gsetting proxy requires userspace caching of permissions due to how gsettings proxy has to work.
This means that policy loads result in stale gsettings policy to results in incorrect mediation.
Add a revision file to the apparmorfs interface that allows detection of the current revision number for apparmor policy. This file can be read like a pipe, or used via poll, which is sufficient for the gsettings proxy detect changes and invalidate its cache.
CVE References
Changed in linux (Ubuntu Zesty): | |
status: | Incomplete → Fix Committed |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1678032
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.