** Description changed:
[Impact]
* As discussed in bug #1628745, the following kernel commit changes
- AppArmor mediation behavior on exec transitions:
+ AppArmor mediation behavior on exec transitions:
-commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
-Author: Linus Torvalds
-Date: Mon Aug 22 16:41:46 2016 -0700
+ commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
+ Author: Linus Torvalds
+ Date: Mon Aug 22 16:41:46 2016 -0700
-binfmt_elf: switch to new creds when switching to new mm
+ binfmt_elf: switch to new creds when switching to new mm
* This change made its way into the Xenial kernel that's currently in
- xenial-proposed (4.4.0-149.175-generic) as it fixes CVE-2019-11190.
+ xenial-proposed (4.4.0-149.175-generic) as it fixes CVE-2019-11190.
* jdstrand identified a couple missing fixes that are needed from the
- AppArmor tree:
+ AppArmor tree:
- d8278f51ecb3c736d697fa367faf99457210a7d8
- 7a49f37c2481f761f8304712aa380acddfdb6303
+ d8278f51ecb3c736d697fa367faf99457210a7d8
+ 7a49f37c2481f761f8304712aa380acddfdb6303
[Test Case]
- TODO
+ For the dnsmasq change in apparmor-profiles,
+
+ 1) Install libvirt-bin and apparmor-profiles
+ 2) Install linux 4.4.0-149.175 from xenial-proposed
+ 3) Reboot
+ 4) Ensure that there is *NOT* an ALLOWED message like this:
+
+ $ dmesg | grep ALLOWED
+ apparmor="ALLOWED" operation="file_mmap"
profile="/usr/sbin/dnsmasq//libvirt_leaseshelper"
name="/usr/lib/libvirt/libvirt_leaseshelper" pid=1533 comm="libvirt_leasesh"
requested_mask="m" denied_mask="m" fsuid=0 ouid=0
+
+ Note that you can retrigger the operations that trigger this AppArmor
+ message by running the following command:
+
+ $ sudo virsh net-destroy default && sudo virsh net-start default
+
+ For the aa.py change in apparmor-utils,
+
+ 1) Install apparmor-utils
+ 2) Create a file named test.log containing the following denial:
+
+ [13622.935258] audit: type=1400 audit(1559071991.542:67):
+ apparmor="DENIED" operation="exec" profile="xargs" name="/bin/echo"
+ pid=2950 comm="xargs" requested_mask="x" denied_mask="x" fsuid=1000
+ ouid=0
+
+ 3) Run the following command:
+
+ $ sudo aa-logprof -f test.log
+
+ 4) You'll be prompted to make a decision on what to do about the
+/bin/echo execute denial. Press (I)nherit.
+
+ 5) Now press (V)iew Changes. Ensure that the 'm' permission is included
+in the added line:
+
++ /bin/echo mrix,
[Regression Potential]
The dnsmasq profile change adds permissions to the child profile.
- There's really no change of regression involved there.
+ There's really no chance of regression involved there.
The aa.py change adds the 'm' permission to the allowed permissions of a
binary on ix transitions. While there is a code change involved, it is a
small change and the resulting profile output involved no risk of
regression.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1830802
Title:
AppArmor profile transition changes required by Linux kernel fix for
CVE-2019-11190
Status in apparmor package in Ubuntu:
New
Bug description:
[Impact]
* As discussed in bug #1628745, the following kernel commit changes
AppArmor mediation behavior on exec transitions:
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
Author: Linus Torvalds
Date: Mon Aug 22 16:41:46 2016 -0700
binfmt_elf: switch to new creds when switching to new mm
* This change made its way into the Xenial kernel that's currently in
xenial-proposed (4.4.0-149.175-generic) as it fixes CVE-2019-11190.
* jdstrand identified a couple missing fixes that are needed from the
AppArmor tree:
d8278f51ecb3c736d697fa367faf99457210a7d8
7a49f37c2481f761f8304712aa380acddfdb6303
[Test Case]
For the dnsmasq change in apparmor-profiles,
1) Install libvirt-bin and apparmor-profiles
2) Install linux 4.4.0-149.175 from xenial-proposed
3) Reboot
4) Ensure that there is *NOT* an ALLOWED message like this:
$ dmesg | grep ALLOWED
apparmor="ALLOWED" operation="file_mmap"
profile="/usr/sbin/dnsmasq//libvirt_leaseshelper"
name="/usr/lib/libvirt/libvirt_leaseshelper" pid=1533 comm="libvirt_leasesh"
requested_mask="m" denied_mask="m" fsuid=0 ouid=0
Note that you can retrigger the operations that trigger this AppArmor
message by running the following command:
$ sudo virsh net-destroy default && sudo virsh net-start default
For the aa.py change in apparmor-utils,
1) Install apparmor-utils
2) Create a file named test.log containing the following denial:
[13622.935258] audit: type=1400 audit(1559071991.542:67):
apparmor="DENIED" operation="exec" profile="xargs" name="/bin/echo"
pid=2950 comm="xargs" requested_mask="x" denied_mask="x" fsuid=1000
ouid=0
3) Run the following command:
$ sudo aa