change to unconfined by name fails
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Linux |
Invalid
|
Medium
|
|||
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
John Johansen | ||
Precise |
Fix Released
|
Undecided
|
John Johansen | ||
Quantal |
Fix Released
|
Undecided
|
John Johansen | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
John Johansen | ||
Precise |
Fix Released
|
Undecided
|
John Johansen | ||
Quantal |
Fix Released
|
Undecided
|
John Johansen |
Bug Description
== Precise SRU Justification ==
Application trying to leave confinement when they are allowed fail, causing cascading failures. This is affecting LXC where the system is confining the container and tries to drop confinement.
== Fix ==
Commit bf83208e0b7f593
== Impact ==
With out this fix some uses of LXC experience failures that the user must work around by disabling the apparmor profile for LXC.
== Test Case ==
Run tests in from the updated apparmor regression test suite in qrt.
or manually
create a confined shell, containing the rule
change_profile -> **,
from the confined shell call
aa-exec -p unconfined
without the patch this will fail, reporting that the profile could not be found
When a task is confined by an apparmor profile and specifies a change to "unconfined" by name the transition fails even though it is allowed by policy. The failure can be replicated by using any of the following mechanisms,
self directed transitions using change_profile, change_onexec with the correct change_profile rule
change_profile -> unconfined,
px, cx named profile transitions
/example px -> unconfined,
This is particularly problematic for transitions to a new namespace.
/example px -> :new_ns:unconfined,
Changed in apparmor (Ubuntu): | |
assignee: | nobody → John Johansen (jjohansen) |
Changed in linux: | |
importance: | Undecided → Medium |
Changed in linux: | |
status: | New → Invalid |
Changed in linux (Ubuntu): | |
status: | New → In Progress |
Changed in linux (Ubuntu Precise): | |
status: | New → In Progress |
Changed in apparmor (Ubuntu Precise): | |
status: | New → Fix Released |
assignee: | nobody → John Johansen (jjohansen) |
Changed in linux (Ubuntu Precise): | |
assignee: | nobody → John Johansen (jjohansen) |
Changed in linux (Ubuntu Quantal): | |
assignee: | nobody → John Johansen (jjohansen) |
description: | updated |
Changed in linux (Ubuntu Precise): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Quantal): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-precise removed: verification-needed-precise |
This bug was fixed in the package apparmor - 2.7.102-0ubuntu3
---------------
apparmor (2.7.102-0ubuntu3) precise; urgency=low
[ Jamie Strandboge ] patches/ 0007-ubuntu- manpage- updates. patch: update apparmor(5)
* debian/
to describe Ubuntu's two-stage policy load and how to add utilize it
when developing policy (LP: #974089)
[ Serge Hallyn ] apparmor. init: do nothing in a container. This can be
* debian/
removed once stacked profiles are supported and used by lxc.
(LP: #978297)
[ Steve Beattie ] patches/ 0008-apparmor- lp963756. patch: Fix permission mapping patches/ 0009-apparmor- lp959560- part1.patch, patches/ 0010-apparmor- lp959560- part2.patch: Update the parser patches/ 0011-apparmor- lp872446. patch: fix logprof missing patches/ 0012-apparmor- lp978584. patch: allow inet6 access in patches/ 0013-apparmor- lp800826. patch: fix libapparmor patches/ 0014-apparmor- lp979095. patch: document new mount rule patches/ 0015-apparmor- lp963756. patch: Fix change_onexec patches/ 0016-apparmor- lp968956. patch: Fix protocol error when patches/ 0017-apparmor- lp979135. patch: Fix change_profile to
* debian/
for change_profile onexec (LP: #963756)
* debian/
debian/
to support the 'in' keyword for value lists, and make mount
operations aware of 'in' keyword so they can affect the flags build
list (LP: #959560)
* debian/
exec events in complain mode (LP: #872446)
* debian/
dovecot imap-login profile (LP: #978584)
* debian/
log parsing library from dropping apparmor network events that
contain ip addresses or ports in them (LP: #800826)
* debian/
syntax and usage in apparmor.d(5) manpage (LP: #979095)
* debian/
for profiles without attachment specification (LP: #963756,
LP: #978038)
* debian/
loading policy to kernels without compat patches (LP: #968956)
* debian/
grant access to /proc/attr api (LP: #979135)
-- Steve Beattie <email address hidden> Thu, 12 Apr 2012 06:17:42 -0500