This bug was fixed in the package apparmor - 2.13.3-7ubuntu5.4
---------------
apparmor (2.13.3-7ubuntu5.4) focal-security; urgency=medium
* SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017)
-
d/p/CVE-2016-1585/parser-Fix-expansion-of-variables-in-unix-rules-addr.patch:
add calls to filter_slashes() in parser/af_unix.cc, make it external
in parser/parser.h and change it to void in parser/parser_regex.c.
-
d/p/CVE-2016-1585/parser-enable-variable-expansion-for-mount-type-and-.patch:
add variable expansion with expand_entry_variables() in
parser/mount.cc.
- d/p/CVE-2016-1585/parser-call-filter-slashes-for-mount-conditionals.patch:
add calls to filter_slashes() in parser/mount.cc.
- d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch:
update rule qualifiers in regression tests in
tests/regression/apparmor/mkprofile.pl and
tests/regression/apparmor/capabilities.sh.
- d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount
rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h
and fix multiple test cases in parser/tst/simple_tests/mount/*.
- d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount
regression tests in tests/regression/apparmor/Makefile,
tests/regression/apparmor/mount.c,
tests/regression/apparmor/mount.sh and
tests/regression/apparmor/mkprofile.pl.
-
d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch:
add missing kernel mount options flag in parser/apparmor.d.pod,
parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh
and parser/tst/simple_tests/mount/*.
- d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update
test profiles in parser/tst/simple_tests/mount/*.
-
d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch:
update gen_policy_change_mount_type() in parser/mount.cc and also
updated tests on parser/tst/simple_tests/mount/* and
tests/regression/apparmor/mount.sh.
-
d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch:
add device checks in gen_flag_rules() in parser/mount.cc and tests
in parser/tst/simple_tests/mount/*, parser/tst/equality.sh,
tests/regression/apparmor/mount.sh and
utils/test/test-parser-simple-tests.py.
-
d/p/CVE-2016-1585/Fix-build-failure-in-df4ed537e-allow-reading-of-etc-.patch:
remove the WARN_DEPRECATED flag in pwarn call in parser/mount.cc.
-
d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch:
remove deprecation warning message in parser/mount.cc.
- CVE-2016-1585
-- Rodrigo Figueiredo Zaiden <[email protected]> Tue, 06
Mar 2024 15:40:00 -0300
** Changed in: apparmor (Ubuntu Focal)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1597017
Title:
mount rules grant excessive permissions
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Focal:
Fix Released
Status in apparmor source package in Jammy:
Fix Released
Bug description:
[Impact]
* The mount rules in apparmor grant excessive permissions.
See Original Report below.
[Test Plan]
* https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
See comment 26 for context.
[Other Info]
SRU Team; the packages for focal-proposed and jammy-proposed are
intended as security updates prepared by the Ubuntu Security team (and
have built in a ppa with only the security pockets enabled). However,
because the fix makes mount rules in apparmor policy be treated more
restrictively than they were prior to this update, we would like these
packages to gain more widespread testing.
[Risk of Regression]
The update for this issue causes the apparmor parser, the tool that
translates written policy into the enforcement data structures used by
the kernel, to generate more strict policy for mount rules, like the
example below. They are not common in apparmor policy generally, but
can appear in policies written for container managers to restrict
containers, and thus can potentially break container startup.
The packages prepared for focal-proposed and jammy-proposed have
tested with the versions of snapd, lxc, libvirt, and docker in the
ubuntu archive, but container managers outside of the ubuntu archive
may run into issues, hence the need for testing and policy
adjustments.
Original Report:
The rule
mount options=(rw,make-slave) -> **,
ends up allowing
mount -t proc proc /mnt
which it shouldn't as it should be restricted to commands with a make-
slave flag
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
