Actual fixed versions for this issue are still sitting in focal-proposed
and jammy-proposed. However, we did a no-change rebuild ofthe current
versions in the respective updates pockets to the security pocket, so
that the version in proposed could be published first in the updates
pocket, but leaving people who experience possible issues the
opportunity for an easy downgrade path to the prior version (via apt
install apparmor/jammy-security or apparmor/focal-security as the case
may be).
** Changed in: apparmor (Ubuntu Focal)
Status: Fix Released => Fix Committed
** Changed in: apparmor (Ubuntu Jammy)
Status: Fix Released => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1597017
Title:
mount rules grant excessive permissions
Status in AppArmor:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Focal:
Fix Committed
Status in apparmor source package in Jammy:
Fix Committed
Bug description:
SRU Team; the packages for focal-proposed and jammy-proposed are
intended as security updates prepared by the Ubuntu Security team (and
have built in a ppa with only the security pockets enabled). However,
because the fix makes mount rules in apparmor policy be treated more
restrictively than they were prior to this update, we would like these
packages to gain more widespread testing.
Risk of Regression:
The update for this issue causes the apparmor parser, the tool that
translates written policy into the enforcement data structures used by
the kernel, to generate more strict policy for mount rules, like the
example below. They are not common in apparmor policy generally, but
can appear in policies written for container managers to restrict
containers, and thus can potentially break container startup.
The packages prepared for focal-proposed and jammy-proposed have
tested with the versions of snapd, lxc, libvirt, and docker in the
ubuntu archive, but container managers outside of the ubuntu archive
may run into issues, hence the need for testing and policy
adjustments.
Original Report:
The rule
mount options=(rw,make-slave) -> **,
ends up allowing
mount -t proc proc /mnt
which it shouldn't as it should be restricted to commands with a make-
slave flag
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
