AppArmor profile transition changes required by Linux kernel fix for CVE-2019-11190
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* As discussed in bug #1628745, the following kernel commit changes
AppArmor mediation behavior on exec transitions:
commit 9f834ec18defc36
Author: Linus Torvalds <email address hidden>
Date: Mon Aug 22 16:41:46 2016 -0700
binfmt_elf: switch to new creds when switching to new mm
* This change made its way into the Xenial kernel that's currently in
xenial-proposed (4.4.0-
* jdstrand identified a couple missing fixes that are needed from the
AppArmor tree:
d8278f51ecb3c
7a49f37c2481f
[Test Case]
For the dnsmasq change in apparmor-profiles,
1) Install libvirt-bin and apparmor-profiles
2) Install linux 4.4.0-149.175 from xenial-proposed
3) Reboot
4) Ensure that there is *NOT* an ALLOWED message like this:
$ dmesg | grep ALLOWED
apparmor="ALLOWED" operation=
Note that you can retrigger the operations that trigger this AppArmor
message by running the following command:
$ sudo virsh net-destroy default && sudo virsh net-start default
For the aa.py change in apparmor-utils,
1) Install apparmor-utils
2) Create a file named test.log containing the following denial:
[13622.935258] audit: type=1400 audit(155907199
3) Run the following command:
$ sudo aa-logprof -f test.log
4) You'll be prompted to make a decision on what to do about the
/bin/echo execute denial. Press (I)nherit.
5) Now press (V)iew Changes. Ensure that the 'm' permission is included
in the added line:
+ /bin/echo mrix,
[Regression Potential]
The dnsmasq profile change adds permissions to the child profile.
There's really no chance of regression involved there.
The aa.py change adds the 'm' permission to the allowed permissions of a
binary on ix transitions. While there is a code change involved, it is a
small change and the resulting profile output involved no risk of
regression.
This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.11
--------------- 0ubuntu2. 11) xenial-security; urgency=medium
apparmor (2.10.95-
* Make dnsmasq profile and Python utility changes necessary to continue allow-libvirt_ leaseshelper- m-permission- on-i.patch children- automatically- add-m-permissio ns-on-i. patch
working correctly after the Linux kernel change to address CVE-2019-11190.
Without these changes, some profile transitions may be unintentionally
denied. (LP: #1830802)
- 0001-dnsmasq-
- 0001-handle_
-- Tyler Hicks <email address hidden> Tue, 28 May 2019 21:33:21 +0000