The full list of profiles updated by the patch:
profiles/apparmor.d/Xorg (complain)
profiles/apparmor.d/alsamixer
profiles/apparmor.d/babeld
profiles/apparmor.d/bfdd
profiles/apparmor.d/bgpd
profiles/apparmor.d/bin.ping (apparmor-profiles)
profiles/apparmor.d/eigrpd
profiles/apparmor.d/fabricd
profiles/apparmor.d/isisd
profiles/apparmor.d/nhrpd
profiles/apparmor.d/ospf6d
profiles/apparmor.d/ospfd
profiles/apparmor.d/pathd
profiles/apparmor.d/pbrd
profiles/apparmor.d/pim6d
profiles/apparmor.d/pimd
profiles/apparmor.d/ripd
profiles/apparmor.d/ripngd
profiles/apparmor.d/staticd
profiles/apparmor.d/tnftp
profiles/apparmor.d/transmission (complain)
profiles/apparmor.d/vrrpd
profiles/apparmor.d/wpa_supplicant (apparmor-profiles, disabled by default)
profiles/apparmor.d/zgrep (apparmor-profiles, disabled by default)
profiles/apparmor.d/znc
(profiles below were already disabled by default)
profiles/apparmor/profiles/extras/firefox
profiles/apparmor/profiles/extras/firefox.sh
profiles/apparmor/profiles/extras/usr.bin.acroread
profiles/apparmor/profiles/extras/usr.bin.svnserve
profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay
profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10
profiles/apparmor/profiles/extras/usr.sbin.in.fingerd
profiles/apparmor/profiles/extras/usr.sbin.oidentd
Selected binaries to test: alsamixer, ping, tnftp, znc
`sudo apt install tnftp znc` to install tnftp and znc
$ apt policy apparmor
apparmor:
Installed: 4.1.0~beta5-0ubuntu14.1
Candidate: 4.1.0~beta5-0ubuntu14.1
Version table:
*** 4.1.0~beta5-0ubuntu14.1 100
100 http://archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
100 /var/lib/dpkg/status
4.1.0~beta5-0ubuntu14 500
500 http://archive.ubuntu.com/ubuntu plucky/main amd64 Packages
$ apt policy apparmor-profiles
apparmor-profiles:
Installed: 4.1.0~beta5-0ubuntu14.1
Candidate: 4.1.0~beta5-0ubuntu14.1
Version table:
*** 4.1.0~beta5-0ubuntu14.1 100
100 http://archive.ubuntu.com/ubuntu plucky-proposed/main amd64 Packages
100 /var/lib/dpkg/status
4.1.0~beta5-0ubuntu14 500
500 http://archive.ubuntu.com/ubuntu plucky/main amd64 Packages
Preparation: created and loaded the allow_all profile and spawned `dmesg -W` in
a separate window to watch for apparmor logs
`aa-exec -p allow_all -- sh -c 'alsamixer'` ran successfully and generated
audit log
audit: type=1400 audit(1756943905.511:431): apparmor="AUDIT" operation="exec"
class="file" profile="allow_all" name="/usr/bin/alsamixer" pid=5032 comm="sh"
requested_mask="x" fsuid=1000 ouid=0 target="alsamixer"
`aa-exec -p allow_all -- sh -c 'ping localhost'` ran successfully and generated
audit log
audit: type=1400 audit(1756944277.746:434): apparmor="AUDIT" operation="exec"
class="file" profile="allow_all" name="/usr/bin/ping" pid=5090 comm="sh"
requested_mask="x" fsuid=1000 ouid=0 target="ping"
`aa-exec -p allow_all -- sh -c 'tnftp -?'` ran successfully and generated audit
log
audit: type=1400 audit(1756944332.611:436): apparmor="AUDIT" operation="exec"
class="file" profile="allow_all" name="/usr/bin/tnftp" pid=5108 comm="sh"
requested_mask="x" fsuid=1000 ouid=0 target="tnftp"
`aa-exec -p allow_all -- sh -c 'znc --help'` ran successfully and generated
audit log
audit: type=1400 audit(1756944404.442:438): apparmor="AUDIT" operation="exec"
class="file" profile="allow_all" name="/usr/bin/znc" pid=5488 comm="sh"
requested_mask="x" fsuid=1000 ouid=0 target="znc"
Test plan verification successful
** Tags removed: verification-needed verification-needed-plucky
** Tags added: verification-done verification-done-plucky
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2110628
Title:
apparmor profiles need mr permissions on their own binaries for
execution from a confined context
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2110628/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
