** Description changed: - When a task is confined by an apparmor profile and specifies a change to - "unconfined" by name the transition fails even though it is allowed by - policy. The failure can be replicated by using any of the following - mechanisms, + == Precise SRU Justification == - self directed transitions using change_profile, change_onexec with the correct change_profile rule - change_profile -> unconfined, + Application trying to leave confinement when they are allowed fail, + causing cascading failures. This is affecting LXC where the system is + confining the container and tries to drop confinement. - px, cx named profile transitions - /example px -> unconfined, + == Fix == - This is particularly problematic for transitions to a new namespace. - /example px -> :new_ns:unconfined, + Commit bf83208e0b7f5938f5a7f6d9dfa9960bf04692fa from security/next queue + for 3.5 kernel fixes the issue + + == Impact == + + With out this fix some uses of LXC experience failures that the user + must work around by disabling the apparmor profile for LXC. + + == Test Case == + + Run tests in from the updated apparmor regression test suite in qrt. + + or manually + + create a confined shell, containing the rule + change_profile -> **, + from the confined shell call + aa-exec -p unconfined + without the patch this will fail, reporting that the profile could not be found + + + When a task is confined by an apparmor profile and specifies a change to "unconfined" by name the transition fails even though it is allowed by policy. The failure can be replicated by using any of the following mechanisms, + + self directed transitions using change_profile, change_onexec with the correct change_profile rule + change_profile -> unconfined, + + px, cx named profile transitions + /example px -> unconfined, + + This is particularly problematic for transitions to a new namespace. + /example px -> :new_ns:unconfined,
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/978038 Title: change to unconfined by name fails To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/978038/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
