This bug was fixed in the package apparmor - 2.13.3-7ubuntu5.2
---------------
apparmor (2.13.3-7ubuntu5.2) focal; urgency=medium
* Add capability upstream patches to fix LP: #1964636
- u/cap1-Generate-CAPABILITIES-in-a-script-due-to-make-4.3.patch: move
code that generates a list of capabilities to a script in common/
- u/cap2-parser-Move-to-a-pre-generated-cap_names.h.patch: use a
pre-generated list of capabilities so that all capabilities are
supported even when building against older kernels.
- u/cap3-parser-cleanup-capability_table-generation-by-droppi.patch: drop
sys_log static declaration because it's already in the generated list.
- u/cap4-parser-unify-capability-name-handling.patch: drop internal
hardcoded capability table.
- u/cap5-parser-Makefile-use-LC_ALL-C-when-invoking-sed.patch: use
LC_ALL=C when invoking sed.
- u/cap6-parser-Add-warning-to-capability_table-about-the-nee.patch: add
warning to capability_table about the need to update the Makefile.
- u/cap7-Add-CAP_BPF-and-CAP_PERFMON-to-severity.db.patch: add
support for cap_bpf and cap_perfmon
- u/cap8-parser-Makefile-fix-generated-cap-comparison-against.patch: fix
generated cap comparison against known list
* Add upstream patches for abi support. LP: #1728130
- u/abi1-parser-feature-abi-setup-parser-to-intersect-policy-.patch: add
the ability to intersect parser and kernel features in the parser.
- u/abi2-parser-add-basic-support-for-feature-abis.patch: add support
to specify a feature abi.
- u/abi3-pin-abi-2.13.patch: add and pin a policy abi for 2.13
- u/abi4-parser-fix-abi-rule-and-pinned-feature-file-interact.patch: fix
abi rule and pinned feature file interaction
- apparmor.install: add 2.13 abi file to be installed in
/etc/apparmor.d/abi/
* Add mqueue patches. LP: #1993353
- u/mqueue1-parser-add-parser-support-for-message-queue-mediatio.patch:
add parser support for mqueue mediation
- u/mqueue2-tests-add-posix-message-queue-regression-tests.patch: add
posix mqueue regression tests
- u/mqueue3-utils-add-message-queue-rules-parsing-in-python-tool.patch:
add support in python tools to parse mqueue rules
- u/mqueue4-parser-add-parser-simple-tests-for-mqueue-rules.patch: add
parser simple tests for mqueue
- u/mqueue5-parser-place-perm-on-name-as-well-as-name-label-comb.patch:
add permissions on name and also on name + label
- u/mqueue6-libapparmor-add-support-for-requested-and-denied-on-.patch:
add parsing support for "denied" and "requested" from audit logs
- u/mqueue7-libapparmor-add-support-for-class-in-logparsing.patch: add
parsing support for "class" from audit logs
- u/mqueue8-utils-add-logparser-support-for-mqueue.patch: add logparser
support for mqueue rules
- u/mqueue9-tests-add-sysv-message-queue-regression-tests.patch: add
sysv mqueue regression tests
- u/mqueue10-parser-enable-mqueue-rules-when-abi-is-not-set.patch:
override pinned features for mqueue rules when abi is not set in policy.
- debian/rules: create mqueue testcase empty files for libapparmor tests.
* Closes LP: #1994146
-- Georgia Garcia <georgia.gar...@canonical.com> Mon, 10 Oct 2022
17:52:45 -0300
** Changed in: apparmor (Ubuntu Focal)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1728130
Title:
Policy needs improved feature versioning to ensure it is correctly
being applied
Status in apparmor package in Ubuntu:
Confirmed
Status in apparmor source package in Focal:
Fix Released
Bug description:
[ Impact ]
Currently allows pinning a single feature abi or running in a
developer mode where the full abi available of the current kernel is
enforced.
However this can result in breaking applications in undesirable ways.
If an application is shipped with its own policy, that policy might be
different than the pinned feature abi, which can either result in
denials because features the policy was not developed for are being
enforced.
If the feature version is not pinned then the most recent kernel abi
is taken and applied to policy, which has not been updated. This can
result in denials for userspace effectively breaking userspace. This
is less than ideal for most users as it leads to a bad experience than
they have not opted into and can lead to them disabling security
protections.
[ Test Plan ]
The test can be done with several features. Here we are using mqueue as an
example.
Verify that the kernel that has mqueue mediation support:
root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ]
&& echo "supports mqueue"
supports mqueue
cd /tmp
pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
cd apparmor-2.13.3/tests/regression/apparmor/
USE_SYSTEM=1 make
Using the parser from the mqueue-sru PPA, load the profile.
echo "
abi <kernel>,
include <tunables/global>
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include <abstractions/base>
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test, which should fail.
./posix_mq_rcv -c ./posix_mq_snd
FAIL - could not open mq: Permission denied
Now use an abi that does not have mqueue. This simulates a scenario
where a policy was developed before mqueue support was added, so posix
message queues should be allowed by default.
echo "
abi <abi/2.13>,
include <tunables/global>
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include <abstractions/base>
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test again, it should pass.
./posix_mq_rcv -c ./posix_mq_snd
PASS
[ Where problems could occur ]
ABI pinning forces policies that don't have abi specified in their
profile to use the ABI pinned in parser.conf. When the ABI is pinned
and the user is trying to use mediation that is not in the pinned ABI,
they might be confused why it is always being allowed. This can be
circumvented by specifying the correct abi in the profile.
[ Other Info ]
The patches for focal (apparmor-2.13) can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
apparmor-3.0 already has this feature.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
