AppArmor

pivot_root audit modifier ignored when oldroot and newroot specified

Bug #1432045 reported by Tyler Hicks on 2015-03-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Fix Released	Low	Unassigned	AppArmor 2.9.2
	apparmor (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

$ echo "/t { pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum
422b222b6608dff7aca3420062aad3db -
$ echo "/t { audit pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum
422b222b6608dff7aca3420062aad3db -
$ echo "/t { audit deny pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum
9e598c327781b16acdab2d3e939279ec -

Note that the audit modifier doesn't change the binary policy file but the audit deny modifier does.

Also, the binary policy file changes as expected on "audit pivot_root," and "audit pivot_root oldroot=/,". That is, this bug only seems to happen when oldroot and newroot are both specified.

See original description

Related branches

lp://staging/ubuntu/vivid-proposed/apparmor

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-03-13:

Automated tests for this bug can be found here:

https://lists.ubuntu.com/archives/apparmor/2015-March/007412.html

Tyler Hicks (tyhicks) on 2015-03-13

description:

updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-03-30:

This bug was fixed in the package apparmor - 2.9.1-0ubuntu8

---------------
apparmor (2.9.1-0ubuntu8) vivid; urgency=medium

  [ Steve Beattie ]
  * debian/rules: run make check on the libapparmor library
  * add-chromium-browser.patch: add support for chromium policies
    (LP: #1419294)
  * debian/apparmor.{init,upstart}: add support for triggering
    aa-profile-hook runs when packages are updated via snappy system
    image updates (LP: #1434143)
  * parser-fix_modifier_compilation_+_tests.patch: fix compilation
    of audit modifiers for exec and pivot_root and deny modifiers on
    link rules as well as significantly expand related tests
    (LP: #1431717, LP: #1432045, LP: #1433829)
  * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
    around pivot_root test failures due to init=systemd (LP: #1436109)
  * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
    file to X abstraction (LP: #1432126)

  [ Jamie Strandboge ]
  * easyprof-framework-policy.patch: add --include-templates-dir and
    --include-policy-groups-dir options to easyprof to support framework
    policy on snappy

  [ Robie Basak ]
  * Add /lib/apparmor/profile-load; moved from
    /lib/init/apparmor-profile-load from the upstart package. A wrapper at
    the original path is now provided by init-system-helpers. (LP: #1432683)
-- Jamie Strandboge <email address hidden> Sat, 28 Mar 2015 07:22:30 -0500

Changed in apparmor (Ubuntu):
status:	New → Fix Released

Revision history for this message

Steve Beattie (sbeattie) wrote on 2015-04-01:

A fix was committed for this in AppArmor upstream in trunk revision 2901 and on the 2.9 branch in revision 2870.

Changed in apparmor:
status:	Confirmed → Fix Committed
milestone:	none → 2.9.2

Steve Beattie (sbeattie) on 2015-04-24

Changed in apparmor:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.