** Changed in: apparmor/2.10
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.11
Status: Fix Committed => Fix Released
** Changed in: apparmor/2.9
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1668892
Title:
CVE-2017-6507: apparmor service restarts and package upgrades unload
privately managed profiles
Status in AppArmor:
Fix Committed
Status in AppArmor 2.10 series:
Fix Released
Status in AppArmor 2.11 series:
Fix Released
Status in AppArmor 2.9 series:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
Restarting the apparmor init script, upstart job, or systemd service
has historically removed all loaded profiles unknown to the well-known
profile locations. In upstream AppArmor terms, this is
/etc/apparmor.d/ but Ubuntu also adds additional locations.
This behavior has previously caused a problem where libvirt-managed
profiles would be unloaded upon "restarting AppArmor":
https://launchpad.net/bugs/702774
Stéphane Graber created this bug report after he noticed that the same
behavior was causing similar problems with lxd-manager profiles.
In addition, AppArmor distro packaging may trigger an "AppArmor
restart" when installing a new version of AppArmor, resulting in the
same profile removal problem. This is true for the Debian/Ubuntu
packaging.
The upstream AppArmor team has decided to remove this functionality
from the AppArmor restart logic to prevent a similar issue happening
with the next external project that needs to privately manage their
own set of AppArmor profiles.
=== Original Bug Report ===
Apparmor package upgrades unloads all LXD apparmor profiles, making
all LXD containers unconfined.
Example:
# Create an unprivileged and a privileged container
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch
ubuntu:16.04 c1
Creating c1
Starting c1
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch
ubuntu:16.04 c2 -c security.privileged=true
Creating c2
Starting c2
# Look at their apparmor profiles (expected values)
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info
c1 | grep Pid | sed "s/Pid: //g")/attr/current
lxd-c1_</var/lib/lxd>//&:lxd-c1_<var-lib-lxd>://unconfined (enforce)
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info
c2 | grep Pid | sed "s/Pid: //g")/attr/current
lxd-c2_</var/lib/lxd>//&:lxd-c2_<var-lib-lxd>://unconfined (enforce)
# Apply an apparmor upgrade
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
apparmor
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 493 kB of archives.
After this operation, 8,192 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://us.archive.ubuntu.com/ubuntu zesty/main amd64 apparmor amd64
2.11.0-2ubuntu1 [493 kB]
Fetched 493 kB in 0s (34.9 MB/s)
Preconfiguring packages ...
(Reading database ... 221457 files and directories currently installed.)
Preparing to unpack .../apparmor_2.11.0-2ubuntu1_amd64.deb ...
Unpacking apparmor (2.11.0-2ubuntu1) over (2.10.95-4ubuntu5.1) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up apparmor (2.11.0-2ubuntu1) ...
Installing new version of config file /etc/apparmor.d/abstractions/X ...
Installing new version of config file
/etc/apparmor.d/abstractions/authentication ...
Installing new version of config file /etc/apparmor.d/abstractions/base ...
Installing new version of config file
/etc/apparmor.d/abstractions/dbus-session-strict ...
Installing new version of config file /etc/apparmor.d/abstractions/gnome ...
Installing new version of config file
/etc/apparmor.d/abstractions/nameservice ...
Installing new version of config file /etc/apparmor.d/abstractions/php5 ...
Installing new version of config file /etc/apparmor.d/abstractions/samba ...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_certs
...
Installing new version of config file /etc/apparmor.d/abstractions/ssl_keys
...
Installing new version of config file
/etc/apparmor.d/abstractions/ubuntu-browsers ...
Installing new version of config file
/etc/apparmor.d/abstractions/ubuntu-helpers ...
Installing new version of config file /etc/apparmor.d/abstractions/user-mail
...
update-rc.d: warning: start and stop actions are no longer supported; falling
back to defaults
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Skipping profile in /etc/apparmor.d/disable: usr.sbin.sssd
Processing triggers for systemd (232-18ubuntu1) ...
Processing triggers for man-db (2.7.6.1-1) ...
# And look at the now unconfined containers
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info
c1 | grep Pid | sed "s/Pid: //g")/attr/current
unconfined//&:lxd-c1_<var-lib-lxd>://unconfined
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info
c2 | grep Pid | sed "s/Pid: //g")/attr/current
unconfined//&:lxd-c2_<var-lib-lxd>://unconfined
# The LXD profiles are also entirely gone
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls
/sys/kernel/security/apparmor/policy/profiles/ | grep lxd
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$
# And to confirm that apparmor is in fact gone
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc exec c2 bash
root@c2:~# mount -t proc proc /mnt
root@c2:~# echo "|/usr/bin/touch /pwned" > /mnt/sys/kernel/core_pattern
root@c2:~# sleep 30&
[1] 468
root@c2:~# kill -SIGSEGV $!
root@c2:~#
[1]+ Segmentation fault (core dumped) sleep 30
root@c2:~# exit
stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls -lh /pwned
-rw-rw-rw- 1 root root 0 Mar 1 03:37 /pwned
This was originally reported (though not as a security issue) here:
https://github.com/lxc/lxd/issues/2981
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1668892/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
