** Description changed: [Impact] * As discussed in bug #1628745, the following kernel commit changes - AppArmor mediation behavior on exec transitions: + AppArmor mediation behavior on exec transitions: - commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 - Author: Linus Torvalds <torva...@linux-foundation.org> - Date: Mon Aug 22 16:41:46 2016 -0700 + commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 + Author: Linus Torvalds <torva...@linux-foundation.org> + Date: Mon Aug 22 16:41:46 2016 -0700 - binfmt_elf: switch to new creds when switching to new mm + binfmt_elf: switch to new creds when switching to new mm * This change made its way into the Xenial kernel that's currently in - xenial-proposed (4.4.0-149.175-generic) as it fixes CVE-2019-11190. + xenial-proposed (4.4.0-149.175-generic) as it fixes CVE-2019-11190. * jdstrand identified a couple missing fixes that are needed from the - AppArmor tree: + AppArmor tree: - d8278f51ecb3c736d697fa367faf99457210a7d8 - 7a49f37c2481f761f8304712aa380acddfdb6303 + d8278f51ecb3c736d697fa367faf99457210a7d8 + 7a49f37c2481f761f8304712aa380acddfdb6303 [Test Case] - TODO + For the dnsmasq change in apparmor-profiles, + + 1) Install libvirt-bin and apparmor-profiles + 2) Install linux 4.4.0-149.175 from xenial-proposed + 3) Reboot + 4) Ensure that there is *NOT* an ALLOWED message like this: + + $ dmesg | grep ALLOWED + apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/dnsmasq//libvirt_leaseshelper" name="/usr/lib/libvirt/libvirt_leaseshelper" pid=1533 comm="libvirt_leasesh" requested_mask="m" denied_mask="m" fsuid=0 ouid=0 + + Note that you can retrigger the operations that trigger this AppArmor + message by running the following command: + + $ sudo virsh net-destroy default && sudo virsh net-start default + + For the aa.py change in apparmor-utils, + + 1) Install apparmor-utils + 2) Create a file named test.log containing the following denial: + + [13622.935258] audit: type=1400 audit(1559071991.542:67): + apparmor="DENIED" operation="exec" profile="xargs" name="/bin/echo" + pid=2950 comm="xargs" requested_mask="x" denied_mask="x" fsuid=1000 + ouid=0 + + 3) Run the following command: + + $ sudo aa-logprof -f test.log + + 4) You'll be prompted to make a decision on what to do about the + /bin/echo execute denial. Press (I)nherit. + + 5) Now press (V)iew Changes. Ensure that the 'm' permission is included + in the added line: + + + /bin/echo mrix, [Regression Potential] The dnsmasq profile change adds permissions to the child profile. - There's really no change of regression involved there. + There's really no chance of regression involved there. The aa.py change adds the 'm' permission to the allowed permissions of a binary on ix transitions. While there is a code change involved, it is a small change and the resulting profile output involved no risk of regression.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1830802 Title: AppArmor profile transition changes required by Linux kernel fix for CVE-2019-11190 Status in apparmor package in Ubuntu: New Bug description: [Impact] * As discussed in bug #1628745, the following kernel commit changes AppArmor mediation behavior on exec transitions: commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 Author: Linus Torvalds <torva...@linux-foundation.org> Date: Mon Aug 22 16:41:46 2016 -0700 binfmt_elf: switch to new creds when switching to new mm * This change made its way into the Xenial kernel that's currently in xenial-proposed (4.4.0-149.175-generic) as it fixes CVE-2019-11190. * jdstrand identified a couple missing fixes that are needed from the AppArmor tree: d8278f51ecb3c736d697fa367faf99457210a7d8 7a49f37c2481f761f8304712aa380acddfdb6303 [Test Case] For the dnsmasq change in apparmor-profiles, 1) Install libvirt-bin and apparmor-profiles 2) Install linux 4.4.0-149.175 from xenial-proposed 3) Reboot 4) Ensure that there is *NOT* an ALLOWED message like this: $ dmesg | grep ALLOWED apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/dnsmasq//libvirt_leaseshelper" name="/usr/lib/libvirt/libvirt_leaseshelper" pid=1533 comm="libvirt_leasesh" requested_mask="m" denied_mask="m" fsuid=0 ouid=0 Note that you can retrigger the operations that trigger this AppArmor message by running the following command: $ sudo virsh net-destroy default && sudo virsh net-start default For the aa.py change in apparmor-utils, 1) Install apparmor-utils 2) Create a file named test.log containing the following denial: [13622.935258] audit: type=1400 audit(1559071991.542:67): apparmor="DENIED" operation="exec" profile="xargs" name="/bin/echo" pid=2950 comm="xargs" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 3) Run the following command: $ sudo aa-logprof -f test.log 4) You'll be prompted to make a decision on what to do about the /bin/echo execute denial. Press (I)nherit. 5) Now press (V)iew Changes. Ensure that the 'm' permission is included in the added line: + /bin/echo mrix, [Regression Potential] The dnsmasq profile change adds permissions to the child profile. There's really no chance of regression involved there. The aa.py change adds the 'm' permission to the allowed permissions of a binary on ix transitions. While there is a code change involved, it is a small change and the resulting profile output involved no risk of regression. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1830802/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
