[Bug 1597017] Re: mount rules grant excessive permissions
Hello John, or anyone else affected, Accepted apparmor into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/3.0.4-2ubuntu2.4 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-jammy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Description changed: SRU Team; the packages for focal-proposed and jammy-proposed are intended as security updates prepared by the Ubuntu Security team (and have built in a ppa with only the security pockets enabled). However, because the fix makes mount rules in apparmor policy be treated more restrictively than they were prior to this update, we would like these packages to gain more widespread testing. Risk of Regression: The update for this issue causes the apparmor parser, the tool that translates written policy into the enforcement data structures used by the kernel, to generate more strict policy for mount rules, like the example below. They are not common in apparmor policy generally, but can appear in policies written for container managers to restrict containers, and thus can potentially break container startup. The packages prepared for focal-proposed and jammy-proposed have tested with the versions of snapd, lxc, libvirt, and docker in the ubuntu - archive, but conainter managers outside of the ubunty archive may run + archive, but container managers outside of the ubuntu archive may run into issues, hence the need for testing and policy adjustments. Original Report: The rule mount options=(rw,make-slave) -> **, ends up allowing mount -t proc proc /mnt which it shouldn't as it should be restricted to commands with a make- slave flag ** Changed in: apparmor (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-jammy ** Changed in: apparmor (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1597017] Re: mount rules grant excessive permissions
It is in the SRU queue and the current ETA is April 15 to land in the proposed pocket (archive proposed not security proposed ppa), there is a caveat that the recent xz backdoor has caused some "fun" on the archive side and could potentially cause some delays. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1597017] Re: mount rules grant excessive permissions
Hello, A gentle ping on this issue, it still shows up on jammy security report and looks like 2ubuntu2.3 here https://changelogs.ubuntu.com/changelogs/pool/main/a/apparmor/apparmor_3.0.4-2ubuntu2.3/changelog doesn't have the fix. @jjohansen can we please advise on when the fix will be backported to ubuntu 22.04? thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1597017] Re: mount rules grant excessive permissions
** Description changed: + SRU Team; the packages for focal-proposed and jammy-proposed are + intended as security updates prepared by the Ubuntu Security team (and + have built in a ppa with only the security pockets enabled). However, + because the fix makes mount rules in apparmor policy be treated more + restrictively than they were prior to this update, we would like these + packages to gain more widespread testing. + + Risk of Regression: + + The update for this issue causes the apparmor parser, the tool that + translates written policy into the enforcement data structures used by + the kernel, to generate more strict policy for mount rules, like the + example below. They are not common in apparmor policy generally, but can + appear in policies written for container managers to restrict + containers, and thus can potentially break container startup. + + The packages prepared for focal-proposed and jammy-proposed have tested + with the versions of snapd, lxc, libvirt, and docker in the ubuntu + archive, but conainter managers outside of the ubunty archive may run + into issues, hence the need for testing and policy adjustments. + + Original Report: + The rule - mount options=(rw,make-slave) -> **, + mount options=(rw,make-slave) -> **, ends up allowing - mount -t proc proc /mnt + mount -t proc proc /mnt which it shouldn't as it should be restricted to commands with a make- slave flag -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1597017] Re: mount rules grant excessive permissions
FYI This is now in the jammy and focal upload queues to go to -proposed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1597017] Re: mount rules grant excessive permissions
** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: New => Fix Released ** Changed in: apparmor (Ubuntu Focal) Status: New => In Progress ** Changed in: apparmor (Ubuntu Jammy) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
