| 2010-08-24 16:12:36 |
Steve Beattie |
bug |
|
|
added bug |
| 2010-08-24 16:13:16 |
Steve Beattie |
bug task added |
|
apparmor |
|
| 2010-09-07 12:34:10 |
Jamie Strandboge |
apparmor: status |
New |
Triaged |
|
| 2010-09-07 12:34:13 |
Jamie Strandboge |
apparmor (Ubuntu): status |
New |
Triaged |
|
| 2010-09-07 12:34:43 |
Jamie Strandboge |
apparmor (Ubuntu): importance |
Undecided |
High |
|
| 2010-09-07 12:34:49 |
Jamie Strandboge |
apparmor: importance |
Undecided |
High |
|
| 2010-09-10 21:16:26 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/apparmor |
|
| 2010-09-16 15:14:06 |
Colin Watson |
apparmor (Ubuntu): status |
Triaged |
Fix Released |
|
| 2010-11-02 22:59:52 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Lucid |
|
| 2010-11-02 22:59:52 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Lucid) |
|
| 2010-11-02 23:02:52 |
Jamie Strandboge |
apparmor (Ubuntu Lucid): importance |
Undecided |
High |
|
| 2010-11-02 23:02:52 |
Jamie Strandboge |
apparmor (Ubuntu Lucid): status |
New |
In Progress |
|
| 2010-11-02 23:02:52 |
Jamie Strandboge |
apparmor (Ubuntu Lucid): milestone |
|
lucid-updates |
|
| 2010-11-04 12:57:55 |
Steve Beattie |
description |
Binary package hint: apparmor
While developing a test profile(s) for sshd on lucid using logprof/genprof, the following rejections in dmesg were never processed by the tools:
[ 878.662172] type=1503 audit(1282626827.320:411): operation="truncate" pid=1957 parent=1 profile="/etc/update-motd.d/91-release-upgrade" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/update-notifier/release-upgrade-available"
[ 878.663410] type=1502 audit(1282626827.320:412): operation="rename_src" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/run/motd.new"
[ 878.663418] type=1502 audit(1282626827.320:413): operation="rename_dest" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="wc::" denied_mask="wc::" fsuid=0 ouid=0 name="/var/run/motd"
I first looked at the log parsing library under the assumption that it didn't understand these operations. After adding testcases for each message, I confirmed that it does indeed understand them and parses them properly. Looking at SubDomain.pm, however, it does not know about these additional operation types. |
SRU
1. Impact: affects ability of users/administrators trying to create or adjust their apparmor policies.
2. Fixed in natty
3. Patch to SubDomain.pm is small (other portions of the patch add testcases to the log parsing library to confirm that they handle the corresponding apparmor event messages) and adds four tests to an if-clause. See http://bazaar.launchpad.net/~apparmor-dev/apparmor/release-2.5/revision/1432 for upstream commit.
4. TEST CASE
(1) Add the attached empty test profile for /does/not/exist (named does.not.exist) to /etc/apparmor.d
(2) Reload apparmor policy via "sudo /etc/init.d/apparmor reload"
(3) Copy the test logfile to /tmp
(4) Run logprof on the test logfile; e.g. "sudo logprof -f /tmp/testlog"
In the unfixed version, logprof will not prompt the user for any rejections (it may ask about using the repository, answer disable or later). In the fixed version, logprof should ask about three different rejections:
/var/lib/update-notifier/release-upgrade-available
/var/run/motd
/var/run/motd.new
(select allow each time)
(5) Regression potential is low, as the patch adds additional cases to the apparmor perl library; it can only affect the tools used to adjust apparmor profiles.
Binary package hint: apparmor
While developing a test profile(s) for sshd on lucid using logprof/genprof, the following rejections in dmesg were never processed by the tools:
[ 878.662172] type=1503 audit(1282626827.320:411): operation="truncate" pid=1957 parent=1 profile="/etc/update-motd.d/91-release-upgrade" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/update-notifier/release-upgrade-available"
[ 878.663410] type=1502 audit(1282626827.320:412): operation="rename_src" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/run/motd.new"
[ 878.663418] type=1502 audit(1282626827.320:413): operation="rename_dest" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="wc::" denied_mask="wc::" fsuid=0 ouid=0 name="/var/run/motd"
I first looked at the log parsing library under the assumption that it didn't understand these operations. After adding testcases for each message, I confirmed that it does indeed understand them and parses them properly. Looking at SubDomain.pm, however, it does not know about these additional operation types.
|
|
| 2010-11-04 12:58:18 |
Steve Beattie |
description |
SRU
1. Impact: affects ability of users/administrators trying to create or adjust their apparmor policies.
2. Fixed in natty
3. Patch to SubDomain.pm is small (other portions of the patch add testcases to the log parsing library to confirm that they handle the corresponding apparmor event messages) and adds four tests to an if-clause. See http://bazaar.launchpad.net/~apparmor-dev/apparmor/release-2.5/revision/1432 for upstream commit.
4. TEST CASE
(1) Add the attached empty test profile for /does/not/exist (named does.not.exist) to /etc/apparmor.d
(2) Reload apparmor policy via "sudo /etc/init.d/apparmor reload"
(3) Copy the test logfile to /tmp
(4) Run logprof on the test logfile; e.g. "sudo logprof -f /tmp/testlog"
In the unfixed version, logprof will not prompt the user for any rejections (it may ask about using the repository, answer disable or later). In the fixed version, logprof should ask about three different rejections:
/var/lib/update-notifier/release-upgrade-available
/var/run/motd
/var/run/motd.new
(select allow each time)
(5) Regression potential is low, as the patch adds additional cases to the apparmor perl library; it can only affect the tools used to adjust apparmor profiles.
Binary package hint: apparmor
While developing a test profile(s) for sshd on lucid using logprof/genprof, the following rejections in dmesg were never processed by the tools:
[ 878.662172] type=1503 audit(1282626827.320:411): operation="truncate" pid=1957 parent=1 profile="/etc/update-motd.d/91-release-upgrade" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/update-notifier/release-upgrade-available"
[ 878.663410] type=1502 audit(1282626827.320:412): operation="rename_src" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/run/motd.new"
[ 878.663418] type=1502 audit(1282626827.320:413): operation="rename_dest" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="wc::" denied_mask="wc::" fsuid=0 ouid=0 name="/var/run/motd"
I first looked at the log parsing library under the assumption that it didn't understand these operations. After adding testcases for each message, I confirmed that it does indeed understand them and parses them properly. Looking at SubDomain.pm, however, it does not know about these additional operation types.
|
SRU
1. Impact: affects ability of users/administrators trying to create or adjust their apparmor policies.
2. Fixed in natty
3. Patch to SubDomain.pm is small (other portions of the patch add testcases to the log parsing library to confirm that they handle the corresponding apparmor event messages) and adds four tests to an if-clause. See http://bazaar.launchpad.net/~apparmor-dev/apparmor/release-2.5/revision/1432 for upstream commit.
4. TEST CASE
(1) Add the attached empty test profile for /does/not/exist (named does.not.exist) to /etc/apparmor.d
(2) Reload apparmor policy via "sudo /etc/init.d/apparmor reload"
(3) Copy the test logfile to /tmp
(4) Run logprof on the test logfile; e.g. "sudo logprof -f /tmp/testlog"
In the unfixed version, logprof will not prompt the user for any rejections (it may ask about using the repository, answer disable or later). In the fixed version, logprof should ask about three different rejections:
/var/lib/update-notifier/release-upgrade-available
/var/run/motd
/var/run/motd.new
(select allow each time)
5. Regression potential is low, as the patch adds additional cases to the apparmor perl library; it can only affect the tools used to adjust apparmor profiles.
Binary package hint: apparmor
While developing a test profile(s) for sshd on lucid using logprof/genprof, the following rejections in dmesg were never processed by the tools:
[ 878.662172] type=1503 audit(1282626827.320:411): operation="truncate" pid=1957 parent=1 profile="/etc/update-motd.d/91-release-upgrade" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/update-notifier/release-upgrade-available"
[ 878.663410] type=1502 audit(1282626827.320:412): operation="rename_src" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/run/motd.new"
[ 878.663418] type=1502 audit(1282626827.320:413): operation="rename_dest" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="wc::" denied_mask="wc::" fsuid=0 ouid=0 name="/var/run/motd"
I first looked at the log parsing library under the assumption that it didn't understand these operations. After adding testcases for each message, I confirmed that it does indeed understand them and parses them properly. Looking at SubDomain.pm, however, it does not know about these additional operation types.
|
|
| 2010-11-04 12:59:12 |
Steve Beattie |
attachment added |
|
does.not.exist https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/623467/+attachment/1722817/+files/does.not.exist |
|
| 2010-11-04 12:59:46 |
Steve Beattie |
attachment added |
|
testlog https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/623467/+attachment/1722818/+files/testlog |
|
| 2010-12-03 17:21:05 |
Martin Pitt |
apparmor (Ubuntu Lucid): status |
In Progress |
Fix Committed |
|
| 2010-12-03 17:21:08 |
Martin Pitt |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2010-12-03 17:21:12 |
Martin Pitt |
bug |
|
|
added subscriber SRU Verification |
| 2010-12-03 17:21:17 |
Martin Pitt |
tags |
|
verification-needed |
|
| 2010-12-14 20:58:25 |
Martin Pitt |
tags |
verification-needed |
verification-done |
|
| 2010-12-15 11:50:58 |
Launchpad Janitor |
apparmor (Ubuntu Lucid): status |
Fix Committed |
Fix Released |
|
| 2011-03-02 14:12:22 |
Leif Atle Vold |
apparmor: assignee |
|
Leif Atle Vold (lvold7355) |
|
| 2011-03-02 14:12:29 |
Leif Atle Vold |
apparmor (Ubuntu): assignee |
|
Leif Atle Vold (lvold7355) |
|
| 2011-03-02 14:12:57 |
Leif Atle Vold |
apparmor: status |
Triaged |
Incomplete |
|
| 2011-03-14 15:45:23 |
Jamie Strandboge |
apparmor (Ubuntu): assignee |
Leif Atle Vold (lvold7355) |
|
|
| 2011-03-14 15:45:28 |
Jamie Strandboge |
apparmor: assignee |
Leif Atle Vold (lvold7355) |
|
|
| 2011-03-14 15:45:39 |
Jamie Strandboge |
apparmor: status |
Incomplete |
Fix Released |
|
| 2011-09-19 21:27:19 |
Ubuntu Foundations Team Bug Bot |
tags |
verification-done |
testcase verification-done |
|
