** Description changed: + SRU Team; the packages for focal-proposed and jammy-proposed are + intended as security updates prepared by the Ubuntu Security team (and + have built in a ppa with only the security pockets enabled). However, + because the fix makes mount rules in apparmor policy be treated more + restrictively than they were prior to this update, we would like these + packages to gain more widespread testing. + + Risk of Regression: + + The update for this issue causes the apparmor parser, the tool that + translates written policy into the enforcement data structures used by + the kernel, to generate more strict policy for mount rules, like the + example below. They are not common in apparmor policy generally, but can + appear in policies written for container managers to restrict + containers, and thus can potentially break container startup. + + The packages prepared for focal-proposed and jammy-proposed have tested + with the versions of snapd, lxc, libvirt, and docker in the ubuntu + archive, but conainter managers outside of the ubunty archive may run + into issues, hence the need for testing and policy adjustments. + + Original Report: + The rule - mount options=(rw,make-slave) -> **, + mount options=(rw,make-slave) -> **, ends up allowing - mount -t proc proc /mnt + mount -t proc proc /mnt which it shouldn't as it should be restricted to commands with a make- slave flag
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
