2011-04-02 21:40:12 |
Seth Arnold |
bug |
|
|
added bug |
2011-04-02 21:40:50 |
Seth Arnold |
bug |
|
|
added subscriber John Johansen |
2011-04-02 21:41:54 |
Seth Arnold |
bug watch added |
|
mailto:apparmor@lists.ubuntu.com |
|
2011-04-02 21:41:54 |
Seth Arnold |
bug task added |
|
linux |
|
2011-04-04 23:26:27 |
John Johansen |
linux (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
2011-04-04 23:48:52 |
John Johansen |
nominated for series |
|
Ubuntu Lucid |
|
2011-04-04 23:48:52 |
John Johansen |
nominated for series |
|
Ubuntu Maverick |
|
2011-04-04 23:48:52 |
John Johansen |
nominated for series |
|
Ubuntu Natty |
|
2011-04-06 17:34:32 |
Jeremy Foshee |
bug task added |
|
linux (Ubuntu Lucid) |
|
2011-04-06 17:34:41 |
Jeremy Foshee |
bug task added |
|
linux (Ubuntu Maverick) |
|
2011-04-06 17:34:50 |
Jeremy Foshee |
bug task added |
|
linux (Ubuntu Natty) |
|
2011-04-06 17:43:34 |
John Johansen |
linux (Ubuntu Maverick): assignee |
|
John Johansen (jjohansen) |
|
2011-04-06 17:43:37 |
John Johansen |
linux (Ubuntu Lucid): assignee |
|
John Johansen (jjohansen) |
|
2011-04-06 18:10:08 |
John Johansen |
attachment added |
|
lp748656.patch https://bugs.launchpad.net/ubuntu/+source/linux/+bug/748656/+attachment/1989675/+files/lp748656.patch |
|
2011-04-07 17:35:53 |
Brian Murray |
bug |
|
|
added subscriber Jeremy Foshee |
2011-04-07 19:59:14 |
Tim Gardner |
linux (Ubuntu Natty): status |
New |
Fix Committed |
|
2011-04-07 21:17:42 |
John Johansen |
description |
Problem was discovered in both upstream kernel and in Ubuntu Natty beta kernels. The problem is a regression from Ubuntu Maverick and earlier releases.
When creating a profile for openssh-server, sshd, using the standard AppArmor profile development tools, a _partial_ profile is created and loaded correctly. When trying to iterate the development of the profile, I found that I was unable to log in to the machine via sshd, even though the AppArmor profile had flags=(complain,) at the beginning.
Removing the profile using apparmor_parser --remove /etc/apparmor.d/usr.sbin.sshd allowed the logins to succeed. Reloading the profile and restarting sshd recreates the problem.
The logfiles don't show any REJECT messages; a handful of ALLOWED messages are printed early on, but then _no_ log entries are generated.
The client quits with "broken pipe" errors. |
SRU Justification:
Impact: Can result in confined application failure with no information logged on how to fix the problem.
Fix: Do not mask the capabilities returned by capget when in complain mode, this allows the application
to progress as expected and request the capabilities it will need.
Patch from upstream AppArmor, backported for Lucid and Maverick.
Testcase: Run the attached C test program as root. When run unconfined it will output a hex number corresponding to the effective caps of root. Confine the application with a profile in complain mode using aa-genprof /path/to/test/program. On a none patched kernel it will return 0 as its capability set, on a patched kernel it will return the same capability set as the unconfined run.
Problem was discovered in both upstream kernel and in Ubuntu Natty beta kernels. The problem is a regression from Ubuntu Maverick and earlier releases.
When creating a profile for openssh-server, sshd, using the standard AppArmor profile development tools, a _partial_ profile is created and loaded correctly. When trying to iterate the development of the profile, I found that I was unable to log in to the machine via sshd, even though the AppArmor profile had flags=(complain,) at the beginning.
Removing the profile using apparmor_parser --remove /etc/apparmor.d/usr.sbin.sshd allowed the logins to succeed. Reloading the profile and restarting sshd recreates the problem.
The logfiles don't show any REJECT messages; a handful of ALLOWED messages are printed early on, but then _no_ log entries are generated.
The client quits with "broken pipe" errors. |
|
2011-04-11 03:25:12 |
Launchpad Janitor |
linux (Ubuntu Natty): status |
Fix Committed |
Fix Released |
|
2011-04-25 17:07:56 |
Tim Gardner |
bug task added |
|
linux-ti-omap4 (Ubuntu) |
|
2011-04-25 17:08:06 |
Tim Gardner |
linux-ti-omap4 (Ubuntu Lucid): status |
New |
Invalid |
|
2011-04-25 17:08:10 |
Tim Gardner |
linux-ti-omap4 (Ubuntu Maverick): status |
New |
Invalid |
|
2011-04-25 17:08:16 |
Tim Gardner |
linux-ti-omap4 (Ubuntu Natty): status |
New |
Fix Committed |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
linux-ti-omap4 (Ubuntu Natty): status |
Fix Committed |
Fix Released |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-1017 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-1020 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-1493 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-1577 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-1581 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-1598 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-1770 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-1833 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-2484 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-2492 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-2493 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-2689 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-2699 |
|
2011-09-21 06:25:35 |
Launchpad Janitor |
cve linked |
|
2011-2918 |
|
2011-09-22 04:09:30 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2011-09-22 04:09:32 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2011-10-05 21:35:42 |
Jeremy Foshee |
removed subscriber Jeremy Foshee |
|
|
|
2012-01-30 15:25:00 |
Paolo Pisati |
linux-ti-omap4 (Ubuntu): status |
Fix Committed |
Fix Released |
|
2013-08-18 17:30:00 |
Julian Wiedmann |
linux (Ubuntu Maverick): status |
New |
Invalid |
|
2015-05-27 19:34:54 |
Mathew Hodson |
linux: status |
New |
Fix Released |
|
2015-06-17 12:07:12 |
Rolf Leggewie |
linux (Ubuntu Lucid): status |
New |
Won't Fix |
|