lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".
** Changed in: linux (Ubuntu Lucid) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/692821 Title: apparmor aa_change_onexec doesn't work Status in linux package in Ubuntu: Invalid Status in linux source package in Lucid: Won't Fix Status in linux source package in Maverick: Fix Released Status in linux source package in Natty: Invalid Bug description: libapparmor provides an aa_change_onexec(3) function which writes into /proc/self/attr/exec file, which is managed by a loaded security module. aa_change_onexec(3) requires the AppArmor module be loaded. (Source for this routine is in package libapparmor, src/change_hat.c.) The provided program and profile will demonstrate the problem. Save the profile into /etc/apparmor.d/test_onexec Load the profile with: sudo apparmor_parser --replace /etc/apparmor.d/test_onexec Compile the program with: gcc -o aa-change aa-change.c -lapparmor Run the program as follows: $ ./aa-change profile test_onexec 'head -1 /etc/passwd ; cat /proc/self/attr/current' Currently running in domain 'test_onexec (enforce)' sh: head: Permission denied test_onexec (enforce) $ ./aa-change exec test_onexec 'head -1 /etc/passwd ; cat /proc/self/attr/current' Will transition to 'test_onexec (enforce)' domain on exec() root:x:0:0:root:/root:/bin/bash unconfined 'profile' uses aa_change_profile(3) to immediate change into the test_onexec profile. 'head' cannot execute, and 'cat' is confined with the test_onexec profile. 'exec' uses aa_change_onexec(3) to change into the test_onexec profile at the next exec(2) call. 'head' runs (it should fail) and reads /etc/passwd (which should also fail). The 'cat' process is unconfined. Thus the aa_change_onexec(3) has failed. Output should be very similar to 'profile' case. $ uname -a Linux haig 2.6.32-26-generic #47-Ubuntu SMP Wed Nov 17 15:58:05 UTC 2010 x86_64 GNU/Linux $ cat /proc/version_signature Ubuntu 2.6.32-26.47-generic 2.6.32.24+drm33.11 $ dmesg will include lines like the following: type=1505 audit(1292894196.363:299): operation="profile_load" pid=5543 name="test_onexec" type=1503 audit(1292894419.381:301): operation="exec" pid=5592 parent=5590 profile="test_onexec" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/head" While watching dmesg output you can confirm that the 'exec' mode of the test program doesn't reject execution of /usr/bin/head, while the 'profile' mode of the test program does reject execution of /usr/bin/head. Feel free to close WONTFIX if fixing this is beyond the scope of LTS. (I want to save others time in the future when this issue is discovered by someone else.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/692821/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp