This bug was fixed in the package apparmor - 2.10.95-4ubuntu2
---------------
apparmor (2.10.95-4ubuntu2) yakkety; urgency=medium
* Drop the following change now that click-apparmor has been updated:
- Continue installing aa-exec into /usr/sbin/ for now since
click-apparmor's aa-exec-click autopkgtest expects it to be there
* debian/patches/allow-stacking-tests-to-use-system.patch,
debian/patches/r3430-allow-stacking-tests-to-use-system.patch: Replace
patch with the final version that landed upstream and annotate the patch
headers accordingly
* debian/patches/r3460-ignore-file-events-with-send-or-receive-request.patch:
Prevent an aa-logprof crash by ignoring file events that contains
send or receive in the request mask. (LP: #1577051, LP: #1582374)
* debian/patches/r3463-r3475-change-profile-exec-modes.patch: Allow policy
authors to specify if the environment should scrubbed during exec
transitions allowed by a change_profile rule. (LP: #1584069)
* debian/patches/r3478-make-overlapping-safe-and-unsafe-rules-conflict.patch:
Make sure that multiple change_profile rules with overlapping safe and
unsafe exec modes conflict when they share the same exec conditional
(LP: #1588069)
* debian/patches/r3479-create-fcitx-abstractions.patch: Include fcitx and
fcitx-strict abstractions that fcitx client profiles can reuse.
* debian/control: Do a conffile move of /etc/apparmor.d/abstractions/fcitx
from the fcitx-data to apparmor by setting up the correct Breaks and
Replaces.
* debian/patches/r3480-create-mozc-abstraction.patch: Include a mozc
abstraction that mozc client profiles can reuse.
* debian/patches/r3488-r3489-fix-racy-onexec-test.patch: Fix racy regression
test so that the kernel SRU process is not interrupted by the onexec.sh
periodically failing
* debian/patches/r3490-utils-handle-change-profile-exec-modes.patch: Update
the Python utilities to handle the new exec mode keywords in
change_profile rules. (LP: #1584069)
* debian/patches/r3492-allow-dbus-user-session-path.patch: Allow read/write
access to the dbus-user-session socket file. (LP: #1604872)
-- Tyler Hicks <[email protected]> Tue, 26 Jul 2016 23:03:05 -0500
** Changed in: apparmor (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1584069
Title:
change_profile rules need a modifier to allow non-secureexec
transitions
Status in AppArmor:
Fix Committed
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
As it stands today, all exec transitions triggered by a change_profile
rule cause the AT_SECURE flag in the auxiliary vector to be set due to
the kernel function apparmor_bprm_secureexec() returning 1 while
setting up the execution environment. This causes libc to always scrub
the environment variables during such an exec transition.
There should be a way to indicate, in the policy language, that
AT_SECURE should not be triggered. This would be equivalent to the
file rule type having the Px permission to trigger AT_SECURE and the
px permission to not trigger it. The file rule type even has an
'unsafe' modifier keyword that could be reused as the change_profile
modifier keyword.
Steps to show that AT_SECURE is being set:
# Build a test program to dump the AT_SECURE flag
$ cat <<EOF > print_at_secure.c
#include <stdio.h>
#include <sys/auxv.h>
int main(void)
{
printf("AT_SECURE = %lu\n", getauxval(AT_SECURE));
return 0;
}
EOF
$ gcc -o print_at_secure print_at_secure.c
# Load the test profile that allows all file accesses and any change_profile
operations
$ echo "profile test { file, change_profile, }" | sudo apparmor_parser -qr
# Run bash under the test profile
$ aa-exec -p test -- bash
# Show the AT_SECURE is not set on exec
$ ./print_at_secure
AT_SECURE = 0
# Set up an exec transition (change_profile from the test profile back to the
test profile)
$ echo "exec test" > /proc/self/attr/exec
# See that AT_SECURE is now set on exec
$ ./print_at_secure
AT_SECURE = 1
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1584069/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
