This bug was fixed in the package apparmor - 2.13.3-7ubuntu5.2 --------------- apparmor (2.13.3-7ubuntu5.2) focal; urgency=medium
* Add capability upstream patches to fix LP: #1964636 - u/cap1-Generate-CAPABILITIES-in-a-script-due-to-make-4.3.patch: move code that generates a list of capabilities to a script in common/ - u/cap2-parser-Move-to-a-pre-generated-cap_names.h.patch: use a pre-generated list of capabilities so that all capabilities are supported even when building against older kernels. - u/cap3-parser-cleanup-capability_table-generation-by-droppi.patch: drop sys_log static declaration because it's already in the generated list. - u/cap4-parser-unify-capability-name-handling.patch: drop internal hardcoded capability table. - u/cap5-parser-Makefile-use-LC_ALL-C-when-invoking-sed.patch: use LC_ALL=C when invoking sed. - u/cap6-parser-Add-warning-to-capability_table-about-the-nee.patch: add warning to capability_table about the need to update the Makefile. - u/cap7-Add-CAP_BPF-and-CAP_PERFMON-to-severity.db.patch: add support for cap_bpf and cap_perfmon - u/cap8-parser-Makefile-fix-generated-cap-comparison-against.patch: fix generated cap comparison against known list * Add upstream patches for abi support. LP: #1728130 - u/abi1-parser-feature-abi-setup-parser-to-intersect-policy-.patch: add the ability to intersect parser and kernel features in the parser. - u/abi2-parser-add-basic-support-for-feature-abis.patch: add support to specify a feature abi. - u/abi3-pin-abi-2.13.patch: add and pin a policy abi for 2.13 - u/abi4-parser-fix-abi-rule-and-pinned-feature-file-interact.patch: fix abi rule and pinned feature file interaction - apparmor.install: add 2.13 abi file to be installed in /etc/apparmor.d/abi/ * Add mqueue patches. LP: #1993353 - u/mqueue1-parser-add-parser-support-for-message-queue-mediatio.patch: add parser support for mqueue mediation - u/mqueue2-tests-add-posix-message-queue-regression-tests.patch: add posix mqueue regression tests - u/mqueue3-utils-add-message-queue-rules-parsing-in-python-tool.patch: add support in python tools to parse mqueue rules - u/mqueue4-parser-add-parser-simple-tests-for-mqueue-rules.patch: add parser simple tests for mqueue - u/mqueue5-parser-place-perm-on-name-as-well-as-name-label-comb.patch: add permissions on name and also on name + label - u/mqueue6-libapparmor-add-support-for-requested-and-denied-on-.patch: add parsing support for "denied" and "requested" from audit logs - u/mqueue7-libapparmor-add-support-for-class-in-logparsing.patch: add parsing support for "class" from audit logs - u/mqueue8-utils-add-logparser-support-for-mqueue.patch: add logparser support for mqueue rules - u/mqueue9-tests-add-sysv-message-queue-regression-tests.patch: add sysv mqueue regression tests - u/mqueue10-parser-enable-mqueue-rules-when-abi-is-not-set.patch: override pinned features for mqueue rules when abi is not set in policy. - debian/rules: create mqueue testcase empty files for libapparmor tests. * Closes LP: #1994146 -- Georgia Garcia <georgia.gar...@canonical.com> Mon, 10 Oct 2022 17:52:45 -0300 ** Changed in: apparmor (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1728130 Title: Policy needs improved feature versioning to ensure it is correctly being applied Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Focal: Fix Released Bug description: [ Impact ] Currently allows pinning a single feature abi or running in a developer mode where the full abi available of the current kernel is enforced. However this can result in breaking applications in undesirable ways. If an application is shipped with its own policy, that policy might be different than the pinned feature abi, which can either result in denials because features the policy was not developed for are being enforced. If the feature version is not pinned then the most recent kernel abi is taken and applied to policy, which has not been updated. This can result in denials for userspace effectively breaking userspace. This is less than ideal for most users as it leads to a bad experience than they have not opted into and can lead to them disabling security protections. [ Test Plan ] The test can be done with several features. Here we are using mqueue as an example. Verify that the kernel that has mqueue mediation support: root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] && echo "supports mqueue" supports mqueue cd /tmp pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal cd apparmor-2.13.3/tests/regression/apparmor/ USE_SYSTEM=1 make Using the parser from the mqueue-sru PPA, load the profile. echo " abi <kernel>, include <tunables/global> /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv { include <abstractions/base> /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux, } " | apparmor_parser -q -r Run the test, which should fail. ./posix_mq_rcv -c ./posix_mq_snd FAIL - could not open mq: Permission denied Now use an abi that does not have mqueue. This simulates a scenario where a policy was developed before mqueue support was added, so posix message queues should be allowed by default. echo " abi <abi/2.13>, include <tunables/global> /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv { include <abstractions/base> /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux, } " | apparmor_parser -q -r Run the test again, it should pass. ./posix_mq_rcv -c ./posix_mq_snd PASS [ Where problems could occur ] ABI pinning forces policies that don't have abi specified in their profile to use the ABI pinned in parser.conf. When the ABI is pinned and the user is trying to use mediation that is not in the pinned ABI, they might be confused why it is always being allowed. This can be circumvented by specifying the correct abi in the profile. [ Other Info ] The patches for focal (apparmor-2.13) can be found at: https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/ apparmor-3.0 already has this feature. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp