Public bug reported: [Impact]
* As discussed in bug #1628745, the following kernel commit changes AppArmor mediation behavior on exec transitions: commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 Author: Linus Torvalds <torva...@linux-foundation.org> Date: Mon Aug 22 16:41:46 2016 -0700 binfmt_elf: switch to new creds when switching to new mm * This change made its way into the Xenial kernel that's currently in xenial-proposed (4.4.0-149.175-generic) as it fixes CVE-2019-11190. * jdstrand identified a couple missing fixes that are needed from the AppArmor tree: d8278f51ecb3c736d697fa367faf99457210a7d8 7a49f37c2481f761f8304712aa380acddfdb6303 [Test Case] TODO [Regression Potential] The dnsmasq profile change adds permissions to the child profile. There's really no change of regression involved there. The aa.py change adds the 'm' permission to the allowed permissions of a binary on ix transitions. While there is a code change involved, it is a small change and the resulting profile output involved no risk of regression. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1830802 Title: AppArmor profile transition changes required by Linux kernel fix for CVE-2019-11190 Status in apparmor package in Ubuntu: New Bug description: [Impact] * As discussed in bug #1628745, the following kernel commit changes AppArmor mediation behavior on exec transitions: commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 Author: Linus Torvalds <torva...@linux-foundation.org> Date: Mon Aug 22 16:41:46 2016 -0700 binfmt_elf: switch to new creds when switching to new mm * This change made its way into the Xenial kernel that's currently in xenial-proposed (4.4.0-149.175-generic) as it fixes CVE-2019-11190. * jdstrand identified a couple missing fixes that are needed from the AppArmor tree: d8278f51ecb3c736d697fa367faf99457210a7d8 7a49f37c2481f761f8304712aa380acddfdb6303 [Test Case] TODO [Regression Potential] The dnsmasq profile change adds permissions to the child profile. There's really no change of regression involved there. The aa.py change adds the 'm' permission to the allowed permissions of a binary on ix transitions. While there is a code change involved, it is a small change and the resulting profile output involved no risk of regression. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1830802/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp