| 2016-06-28 17:22:12 |
John Johansen |
bug |
|
|
added bug |
| 2016-06-29 14:05:13 |
Marc Deslauriers |
cve linked |
|
2016-1585 |
|
| 2016-10-13 21:45:10 |
Christian Boltz |
tags |
|
aa-parser |
|
| 2017-07-13 16:39:31 |
Christian Boltz |
bug watch added |
|
https://bugzilla.opensuse.org/show_bug.cgi?id=995594 |
|
| 2019-05-05 07:34:24 |
Salvatore Bonaccorso |
bug |
|
|
added subscriber Salvatore Bonaccorso |
| 2020-02-07 03:59:31 |
Simon Déziel |
bug watch added |
|
https://github.com/lxc/lxd/issues/6799 |
|
| 2020-02-07 15:20:05 |
Simon Déziel |
bug watch removed |
https://github.com/lxc/lxd/issues/6799 |
|
|
| 2020-09-29 17:15:12 |
Steve Beattie |
bug |
|
|
added subscriber Steve Beattie |
| 2023-06-22 08:55:17 |
John Johansen |
apparmor: status |
New |
Fix Released |
|
| 2024-02-02 16:57:05 |
Aleksandr Mikhalitsyn |
bug |
|
|
added subscriber Simon Déziel |
| 2024-02-07 12:51:14 |
Thomas Parrott |
bug |
|
|
added subscriber Thomas Parrott |
| 2024-03-06 18:25:32 |
Steve Beattie |
bug task added |
|
apparmor (Ubuntu) |
|
| 2024-03-06 18:25:43 |
Steve Beattie |
nominated for series |
|
Ubuntu Jammy |
|
| 2024-03-06 18:25:43 |
Steve Beattie |
bug task added |
|
apparmor (Ubuntu Jammy) |
|
| 2024-03-06 18:25:43 |
Steve Beattie |
nominated for series |
|
Ubuntu Focal |
|
| 2024-03-06 18:25:43 |
Steve Beattie |
bug task added |
|
apparmor (Ubuntu Focal) |
|
| 2024-03-06 18:25:52 |
Steve Beattie |
apparmor (Ubuntu): status |
New |
Fix Released |
|
| 2024-03-06 18:25:59 |
Steve Beattie |
apparmor (Ubuntu Focal): status |
New |
In Progress |
|
| 2024-03-06 18:26:03 |
Steve Beattie |
apparmor (Ubuntu Jammy): status |
New |
In Progress |
|
| 2024-03-29 16:43:35 |
Steve Beattie |
description |
The rule
mount options=(rw,make-slave) -> **,
ends up allowing
mount -t proc proc /mnt
which it shouldn't as it should be restricted to commands with a make-slave flag |
SRU Team; the packages for focal-proposed and jammy-proposed are intended as security updates prepared by the Ubuntu Security team (and have built in a ppa with only the security pockets enabled). However, because the fix makes mount rules in apparmor policy be treated more restrictively than they were prior to this update, we would like these packages to gain more widespread testing.
Risk of Regression:
The update for this issue causes the apparmor parser, the tool that translates written policy into the enforcement data structures used by the kernel, to generate more strict policy for mount rules, like the example below. They are not common in apparmor policy generally, but can appear in policies written for container managers to restrict containers, and thus can potentially break container startup.
The packages prepared for focal-proposed and jammy-proposed have tested with the versions of snapd, lxc, libvirt, and docker in the ubuntu archive, but conainter managers outside of the ubunty archive may run into issues, hence the need for testing and policy adjustments.
Original Report:
The rule
mount options=(rw,make-slave) -> **,
ends up allowing
mount -t proc proc /mnt
which it shouldn't as it should be restricted to commands with a make-slave flag |
|
| 2024-04-02 06:46:25 |
Andrew Cloke |
bug |
|
|
added subscriber Andrew Cloke |
| 2024-04-02 23:10:00 |
Steve Beattie |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2024-04-09 22:55:46 |
Brian Murray |
description |
SRU Team; the packages for focal-proposed and jammy-proposed are intended as security updates prepared by the Ubuntu Security team (and have built in a ppa with only the security pockets enabled). However, because the fix makes mount rules in apparmor policy be treated more restrictively than they were prior to this update, we would like these packages to gain more widespread testing.
Risk of Regression:
The update for this issue causes the apparmor parser, the tool that translates written policy into the enforcement data structures used by the kernel, to generate more strict policy for mount rules, like the example below. They are not common in apparmor policy generally, but can appear in policies written for container managers to restrict containers, and thus can potentially break container startup.
The packages prepared for focal-proposed and jammy-proposed have tested with the versions of snapd, lxc, libvirt, and docker in the ubuntu archive, but conainter managers outside of the ubunty archive may run into issues, hence the need for testing and policy adjustments.
Original Report:
The rule
mount options=(rw,make-slave) -> **,
ends up allowing
mount -t proc proc /mnt
which it shouldn't as it should be restricted to commands with a make-slave flag |
SRU Team; the packages for focal-proposed and jammy-proposed are intended as security updates prepared by the Ubuntu Security team (and have built in a ppa with only the security pockets enabled). However, because the fix makes mount rules in apparmor policy be treated more restrictively than they were prior to this update, we would like these packages to gain more widespread testing.
Risk of Regression:
The update for this issue causes the apparmor parser, the tool that translates written policy into the enforcement data structures used by the kernel, to generate more strict policy for mount rules, like the example below. They are not common in apparmor policy generally, but can appear in policies written for container managers to restrict containers, and thus can potentially break container startup.
The packages prepared for focal-proposed and jammy-proposed have tested with the versions of snapd, lxc, libvirt, and docker in the ubuntu archive, but container managers outside of the ubuntu archive may run into issues, hence the need for testing and policy adjustments.
Original Report:
The rule
mount options=(rw,make-slave) -> **,
ends up allowing
mount -t proc proc /mnt
which it shouldn't as it should be restricted to commands with a make-slave flag |
|
| 2024-04-09 22:57:27 |
Brian Murray |
apparmor (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2024-04-09 22:57:29 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2024-04-09 22:57:33 |
Brian Murray |
tags |
aa-parser |
aa-parser verification-needed verification-needed-jammy |
|
| 2024-04-09 23:00:45 |
Brian Murray |
apparmor (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2024-04-09 23:00:50 |
Brian Murray |
tags |
aa-parser verification-needed verification-needed-jammy |
aa-parser verification-needed verification-needed-focal verification-needed-jammy |
|
| 2024-04-22 16:51:45 |
Wesley Hershberger |
bug |
|
|
added subscriber Wesley Hershberger |
| 2024-05-03 21:08:44 |
Chris Smith |
removed subscriber Chris Smith |
|
|
|
| 2024-05-03 21:09:34 |
Chris Smith |
bug |
|
|
added subscriber Chris Smith |
