*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: apparmor
[lucid with apparmor 2.5-0ubuntu3]
Apparently apparmor profiles get loaded too late in the boot process to
confine all processes that have a profile defined.
Either /etc/init.d/apparmor should be run earlier or the profiles should
be loaded by upstart before all those services which start on local-
filesystems get started.
I'd rate this problem pretty major, if not even a security problem: It gives
users a false impression of security.
Some stock services that have profiles defined are unprotected after boot.
Also, profiles generated by the user might look fine -- but after the next
reboot the protection unexpectedly is gone again.
aa-status output after boot:
System 1:
2 processes are unconfined but have a profile defined.
/usr/sbin/smbd (1082)
/usr/sbin/smbd (882)
System 2:
6 processes are unconfined but have a profile defined.
/usr/sbin/mysqld (1015)
/usr/sbin/nmbd (1169)
/usr/sbin/nmbd (1162)
/usr/sbin/rsyslogd (953)
/usr/sbin/smbd (932)
/usr/sbin/smbd (1045)
System 3:
5 processes are unconfined but have a profile defined.
/usr/sbin/mysqld (1193)
/usr/sbin/rsyslogd (1164)
/usr/sbin/vsftpd (1163)
/usr/sbin/vsftpd (1161)
/usr/sbin/vsftpd (1162)
Manual fix: restart those services after each boot
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
apparmor doesn't confine services started by upstart
https://bugs.launchpad.net/bugs/577445
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
