CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Critical
|
juan serven | ||
2.10 |
Fix Released
|
Undecided
|
Unassigned | ||
2.11 |
Fix Released
|
Undecided
|
Unassigned | ||
2.9 |
Fix Released
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Fix Released
|
Critical
|
Tyler Hicks |
Bug Description
Restarting the apparmor init script, upstart job, or systemd service has historically removed all loaded profiles unknown to the well-known profile locations. In upstream AppArmor terms, this is /etc/apparmor.d/ but Ubuntu also adds additional locations.
This behavior has previously caused a problem where libvirt-managed profiles would be unloaded upon "restarting AppArmor":
https:/
Stéphane Graber created this bug report after he noticed that the same behavior was causing similar problems with lxd-manager profiles.
In addition, AppArmor distro packaging may trigger an "AppArmor restart" when installing a new version of AppArmor, resulting in the same profile removal problem. This is true for the Debian/Ubuntu packaging.
The upstream AppArmor team has decided to remove this functionality from the AppArmor restart logic to prevent a similar issue happening with the next external project that needs to privately manage their own set of AppArmor profiles.
=== Original Bug Report ===
Apparmor package upgrades unloads all LXD apparmor profiles, making all LXD containers unconfined.
Example:
# Create an unprivileged and a privileged container
stgraber@
Creating c1
Starting c1
stgraber@
Creating c2
Starting c2
# Look at their apparmor profiles (expected values)
stgraber@
lxd-c1_
stgraber@
lxd-c2_
# Apply an apparmor upgrade
stgraber@
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
apparmor
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 493 kB of archives.
After this operation, 8,192 B of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://
Fetched 493 kB in 0s (34.9 MB/s)
Preconfiguring packages ...
(Reading database ... 221457 files and directories currently installed.)
Preparing to unpack .../apparmor_
Unpacking apparmor (2.11.0-2ubuntu1) over (2.10.95-
Processing triggers for ureadahead (0.100.0-19) ...
Setting up apparmor (2.11.0-2ubuntu1) ...
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
Installing new version of config file /etc/apparmor.
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Skipping profile in /etc/apparmor.
Skipping profile in /etc/apparmor.
Processing triggers for systemd (232-18ubuntu1) ...
Processing triggers for man-db (2.7.6.1-1) ...
# And look at the now unconfined containers
stgraber@
unconfined/
stgraber@
unconfined/
# The LXD profiles are also entirely gone
stgraber@
stgraber@
# And to confirm that apparmor is in fact gone
stgraber@
root@c2:~# mount -t proc proc /mnt
root@c2:~# echo "|/usr/bin/touch /pwned" > /mnt/sys/
root@c2:~# sleep 30&
[1] 468
root@c2:~# kill -SIGSEGV $!
root@c2:~#
[1]+ Segmentation fault (core dumped) sleep 30
root@c2:~# exit
stgraber@
-rw-rw-rw- 1 root root 0 Mar 1 03:37 /pwned
This was originally reported (though not as a security issue) here: https:/
summary: |
- apparmor package upgrades unload all LXD profiles + apparmor package upgrades unload privately managed profiles |
summary: |
- apparmor package upgrades unload privately managed profiles + CVE-2017-6507: apparmor package upgrades unload privately managed + profiles |
summary: |
- CVE-2017-6507: apparmor package upgrades unload privately managed - profiles + CVE-2017-6507: apparmor service restarts and package upgrades unload + privately managed profiles |
tags: | added: patch |
Changed in apparmor: | |
status: | Fix Committed → Won't Fix |
status: | Won't Fix → Fix Committed |
Changed in apparmor: | |
status: | Fix Committed → Fix Released |
Changed in apparmor: | |
assignee: | Tyler Hicks (tyhicks) → juan serven (juanserven) |
Subscribed the LXC security team, mostly for awareness if we get more such reports from users.