I am running Focal Fossa and noticed that AppArmor was vulnerable (CVE-2016-1585). My automatic upgrade attempts were not upgrading from the vulnerable version 2.13.3-7ubuntu5.3build2 to the latest version 2.13.3-7ubuntu5.4. When investigating further it is because my systems are configured to only pull updates out of the security repository, which does not include this update.
I posted a question in the general AppArmor area and it was suggested to bring this up in this specific bug thread. The thought is that the version released around this bug should be included in the security repository, not just the update repository. If this is indeed an issue, the same can be said for the jammy releases as well. Link to my question: https://answers.launchpad.net/ubuntu/+source/apparmor/+question/818906 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in apparmor source package in Focal: Fix Released Status in apparmor source package in Jammy: Fix Released Bug description: [Impact] * The mount rules in apparmor grant excessive permissions. See Original Report below. [Test Plan] * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor See comment 26 for context. [Other Info] SRU Team; the packages for focal-proposed and jammy-proposed are intended as security updates prepared by the Ubuntu Security team (and have built in a ppa with only the security pockets enabled). However, because the fix makes mount rules in apparmor policy be treated more restrictively than they were prior to this update, we would like these packages to gain more widespread testing. [Risk of Regression] The update for this issue causes the apparmor parser, the tool that translates written policy into the enforcement data structures used by the kernel, to generate more strict policy for mount rules, like the example below. They are not common in apparmor policy generally, but can appear in policies written for container managers to restrict containers, and thus can potentially break container startup. The packages prepared for focal-proposed and jammy-proposed have tested with the versions of snapd, lxc, libvirt, and docker in the ubuntu archive, but container managers outside of the ubuntu archive may run into issues, hence the need for testing and policy adjustments. Original Report: The rule mount options=(rw,make-slave) -> **, ends up allowing mount -t proc proc /mnt which it shouldn't as it should be restricted to commands with a make- slave flag To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
