mysql fails to load innodb plugin due to apparmor rejection.

Bug #617463 reported by Steve Beattie on 2010-08-13
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-5.1 (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
mysql-dfsg-5.1 (Ubuntu)
Undecided
Unassigned
Lucid
Low
Unassigned

Bug Description

== SRU Stuff ==

=== Impact ===
The HA innodb plugin can't be used, as the apparmor rules don't allow access to the plugin directory.

=== Regression potential ===
Minimal. When this rule was added in maverick, it went through a few iterations:
5.1.49-1ubuntu5, 5.1.49-1ubuntu6, and 5.1.49-1ubuntu7.
But it hasn't been changed since, so we can assume it isn't too problematic.

=== Test Case ===

Install mysql-server. Stop it.

Add the following to a [mysqld] block in my.cnf:

default-storage-engine=InnoDB
ignore_builtin_innodb
plugin-load=innodb=ha_innodb_plugin.so;innodb_trx=ha_innodb_plugin.so;innodb_locks=ha_innodb_plugin.so;innodb_lock_waits=ha_innodb_plugin.so;innodb_cmp=ha_innodb_plugin.so;innodb_cmp_reset=ha_innodb_plugin.so;innodb_cmpmem=ha_innodb_plugin.so;innodb_cmpmem_reset=ha_innodb_plugin.so

Then mysql won't start, reporting in /var/log/mysql/error.log that it can't load the innodb plugin.
If it starts, we've solved the problem.

== Original Report ==

Attempting to run the mysql testsuite fails with the apparmor policy as shipped in maverick with the following rejection:

[72565.740926] type=1400 audit(1281713173.741:61): apparmor="DENIED" operation="file_mmap" parent=18416 profile="/usr/sbin/mysqld" name="/usr/lib/mysql/plugin/ha_innodb_plugin.so.0.0.0" pid=18417 comm="mysqld" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

The following needs to be added to the apparmor profile for mysqld:

  /usr/lib/mysql/plugin/*.so* m,

This also may be an issue on lucid, though I haven't built a version of mysql there with the fix for bug 617461 to reproduce it.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-5.1 - 5.1.49-1ubuntu5

---------------
mysql-5.1 (5.1.49-1ubuntu5) maverick; urgency=low

  * New patch: 99_fix_testsuite_for_installed_env.dpatch: fix
    mysql-testsuite to work with the installation location (LP: #617461)
  * debian/apparmor-profile: add mmap access to mysql plugin location
    (LP: #617463)
 -- Steve Beattie <email address hidden> Thu, 12 Aug 2010 15:44:46 -0700

Changed in mysql-5.1 (Ubuntu):
status: New → Fix Released
Changed in mysql-dfsg-5.1 (Ubuntu):
status: New → Invalid
Changed in mysql-5.1 (Ubuntu Lucid):
status: New → Invalid
Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
importance: Undecided → Low
description: updated
description: updated
Stefano Rivera (stefanor) wrote :

Let's try that again. The previous upload was rejected to make way for a security update

Hello Steve, or anyone else affected,

Accepted mysql-dfsg-5.1 into lucid-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/mysql-dfsg-5.1/5.1.66-0ubuntu0.10.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
status: New → Fix Committed
tags: added: verification-needed
Marc Deslauriers (mdeslaur) wrote :

I confirm this fixes the issue, I don't see the relevant denials in when running the test suite anymore.

This fix will be included in the security release that will be published in a few minutes.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.1 - 5.1.66-0ubuntu0.10.04.3

---------------
mysql-dfsg-5.1 (5.1.66-0ubuntu0.10.04.3) lucid-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via long argument
    - debian/patches/99_CVE-2012-5611.patch: don't overflow buffer in
      sql/sql_acl.cc, add tests to mysql-test/t/information_schema.test,
      mysql-test/r/information_schema.result.
    - CVE-2012-5611
 -- Marc Deslauriers <email address hidden> Fri, 07 Dec 2012 12:14:34 -0500

Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers