mount rules grant excessive permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Committed
|
Undecided
|
Unassigned | ||
Jammy |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
SRU Team; the packages for focal-proposed and jammy-proposed are intended as security updates prepared by the Ubuntu Security team (and have built in a ppa with only the security pockets enabled). However, because the fix makes mount rules in apparmor policy be treated more restrictively than they were prior to this update, we would like these packages to gain more widespread testing.
Risk of Regression:
The update for this issue causes the apparmor parser, the tool that translates written policy into the enforcement data structures used by the kernel, to generate more strict policy for mount rules, like the example below. They are not common in apparmor policy generally, but can appear in policies written for container managers to restrict containers, and thus can potentially break container startup.
The packages prepared for focal-proposed and jammy-proposed have tested with the versions of snapd, lxc, libvirt, and docker in the ubuntu archive, but container managers outside of the ubuntu archive may run into issues, hence the need for testing and policy adjustments.
Original Report:
The rule
mount options=
ends up allowing
mount -t proc proc /mnt
which it shouldn't as it should be restricted to commands with a make-slave flag
CVE References
tags: | added: aa-parser |
Changed in apparmor (Ubuntu): | |
status: | New → Fix Released |
Changed in apparmor (Ubuntu Focal): | |
status: | New → In Progress |
Changed in apparmor (Ubuntu Jammy): | |
status: | New → In Progress |
description: | updated |
The parser is generating 2 match rules in the dfa off of the one text rule, they are the equivalent of (rw,make- slave) -> **,
mount options=
mount options=rw,
this is due to how the parser is trying to share rule generation for generic rules that don't specify a flag, and rules that specify them. When flags aren't specified multiple rule sets may need to be generated but only one matching the flags should when the flags are specified.