Bug#858900: marked as done (unblock: apparmor/2.11.0-3)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#858900: marked as done (unblock: apparmor/2.11.0-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 28 Mar 2017 18:57:05 +0000
Message-id: <[🔎] handler.858900.D858900.14907272299368.ackdone@bugs.debian.org>
References: <7e677ef8-d824-68e3-52bf-4d6cd8ea7940@thykier.net> <[🔎] 149070230578.8808.6797977529572825847.reportbug@deb.localhost>

Your message dated Tue, 28 Mar 2017 18:52:00 +0000
with message-id <7e677ef8-d824-68e3-52bf-4d6cd8ea7940@thykier.net>
and subject line Re: Bug#858900: unblock: apparmor/2.11.0-3
has caused the Debian Bug report #858900,
regarding unblock: apparmor/2.11.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
858900: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858900
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: apparmor/2.11.0-3
From: intrigeri <intrigeri@debian.org>
Date: Tue, 28 Mar 2017 13:58:25 +0200
Message-id: <[🔎] 149070230578.8808.6797977529572825847.reportbug@deb.localhost>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi!

please unblock package apparmor, that fixes CVE-2017-6507
aka. Debian bug #858768.

unblock apparmor/2.11.0-3

diff -Nru apparmor-2.11.0/debian/apparmor.init apparmor-2.11.0/debian/apparmor.init
--- apparmor-2.11.0/debian/apparmor.init	2016-10-14 22:22:00.000000000 +0200
+++ apparmor-2.11.0/debian/apparmor.init	2017-03-28 12:23:08.000000000 +0200
@@ -190,7 +190,6 @@
 		clear_cache
 		load_configured_profiles
 		rc=$?
-		unload_obsolete_profiles
 
 		log_end_msg "$rc"
 		;;
diff -Nru apparmor-2.11.0/debian/apparmor.install apparmor-2.11.0/debian/apparmor.install
--- apparmor-2.11.0/debian/apparmor.install	2016-10-14 22:14:49.000000000 +0200
+++ apparmor-2.11.0/debian/apparmor.install	2017-03-28 12:23:08.000000000 +0200
@@ -6,6 +6,7 @@
 sbin/apparmor_parser
 usr/bin/aa-enabled
 usr/bin/aa-exec
+usr/sbin/aa-remove-unknown
 usr/sbin/aa-status
 usr/sbin/apparmor_status
 etc/apparmor.d/tunables/alias
diff -Nru apparmor-2.11.0/debian/apparmor.manpages apparmor-2.11.0/debian/apparmor.manpages
--- apparmor-2.11.0/debian/apparmor.manpages	2017-01-09 13:40:08.000000000 +0100
+++ apparmor-2.11.0/debian/apparmor.manpages	2017-03-28 12:23:08.000000000 +0200
@@ -5,5 +5,6 @@
 debian/tmp/usr/share/man/man7/apparmor.7
 debian/tmp/usr/share/man/man1/aa-enabled.1
 debian/tmp/usr/share/man/man1/aa-exec.1
+debian/tmp/usr/share/man/man8/aa-remove-unknown.8
 debian/tmp/usr/share/man/man8/aa-status.8
 debian/tmp/usr/share/man/man8/apparmor_status.8
diff -Nru apparmor-2.11.0/debian/apparmor.postinst apparmor-2.11.0/debian/apparmor.postinst
--- apparmor-2.11.0/debian/apparmor.postinst	2015-08-13 21:25:45.000000000 +0200
+++ apparmor-2.11.0/debian/apparmor.postinst	2017-03-28 12:23:08.000000000 +0200
@@ -113,7 +113,6 @@
         if aa-status --enabled 2>/dev/null; then
             clear_cache || true
             load_configured_profiles || true
-            unload_obsolete_profiles || true
         fi
 
         # Discard the return code and just make sure the md5sums are updated
diff -Nru apparmor-2.11.0/debian/apparmor.upstart apparmor-2.11.0/debian/apparmor.upstart
--- apparmor-2.11.0/debian/apparmor.upstart	2016-10-14 22:14:49.000000000 +0200
+++ apparmor-2.11.0/debian/apparmor.upstart	2017-03-28 12:23:08.000000000 +0200
@@ -83,7 +83,6 @@
     if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
         clear_cache
         load_configured_profiles
-	unload_obsolete_profiles
         exit 0
     fi
 
diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog
--- apparmor-2.11.0/debian/changelog	2017-01-21 11:05:51.000000000 +0100
+++ apparmor-2.11.0/debian/changelog	2017-03-28 12:29:15.000000000 +0200
@@ -1,3 +1,19 @@
+apparmor (2.11.0-3) unstable; urgency=medium
+
+  * Fix CVE-2017-6507: don't unload unknown profiles during package
+    configuration or when restarting the apparmor init script, upstart job, or
+    systemd unit as this could leave processes unconfined (Closes: #858768).
+    Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3:
+    - debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
+      Remove calls to unload_obsolete_profiles()
+    - debian/patches/utils-add-aa-remove-unknown.patch,
+      debian/apparmor.install debian/apparmor.manpages: Include a new utility,
+      aa-remove-unknown, which can be used to unload unknown profiles. Based
+      on an upstream patch but adjusted to source the /lib/apparmor/functions
+      shipped in Debian/Ubuntu.
+
+ -- intrigeri <intrigeri@debian.org>  Tue, 28 Mar 2017 10:29:15 +0000
+
 apparmor (2.11.0-2) unstable; urgency=medium
 
   * Drop the apparmor-docs package (Closes: #851118).
diff -Nru apparmor-2.11.0/debian/patches/series apparmor-2.11.0/debian/patches/series
--- apparmor-2.11.0/debian/patches/series	2017-01-09 12:46:20.000000000 +0100
+++ apparmor-2.11.0/debian/patches/series	2017-03-28 12:24:44.000000000 +0200
@@ -18,6 +18,9 @@
 #profiles-grant-access-to-systemd-resolved.patch
 # Not adapted to Debian packaging of Chromium (Debian#742829)
 #add-chromium-browser.patch
+# Adapted to use debian/lib/apparmor/functions instead of
+# parser/rc.apparmor.functions
+utils-add-aa-remove-unknown.patch
 
 #
 # Patches not yet upstream
diff -Nru apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch
--- apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch	1970-01-01 01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/patches/utils-add-aa-remove-unknown.patch	2017-03-28 12:26:56.000000000 +0200
@@ -0,0 +1,214 @@
+Description: utils: Add aa-remove-unknown utility to unload unknown profiles
+ .
+ https://launchpad.net/bugs/1668892
+ .
+ This patch creates a new utility, with the code previously used in the
+ init script 'restart' action, that removes unknown profiles which are
+ not found in /etc/apparmor.d/. The functionality was removed from the
+ common init script code in the fix for CVE-2017-6507.
+ .
+ The new utility prints a message containing the name of each unknown
+ profile before the profiles are removed. It also supports a dry run mode
+ so that an administrator can check which profiles will be removed before
+ unloading any unknown profiles.
+ .
+ If you backport this utility with the fix for CVE-2017-6507 to an
+ apparmor 2.10 release and your backported aa-remove-unknown utility is
+ sourcing the upstream rc.apparmor.functions file, you'll want to include
+ the following bug fix to prevent the aa-remove-unknown utility from
+ removing child profiles that it shouldn't remove:
+ .
+   r3440 - Fix: parser: incorrect output of child profile names
+ .
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Acked-by: Seth Arnold <seth.arnold@canonical.com>
+ Acked-by: John Johansen <john.johansen@canonical.com>
+ .
+ IMPORTANT: The upstream patch has been backported to use the
+ /lib/apparmor/functions file shipped as part of the Debian/Ubuntu packaging
+ instead of the upstream /lib/apparmor/rc.apparmor.functions file.
+Origin: backport, http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3648
+Author: Tyler Hicks <tyhicks@canonical.com>
+Bug: https://launchpad.net/bugs/1668892
+Bug-Debian: https://bugs.debian.org/858768
+Last-Update: 2017-03-24
+X-Bzr-Revision-Id: tyhicks@canonical.com-20170324050801-6p7c40m8d44ase9c
+
+Index: apparmor-2.11/utils/Makefile
+===================================================================
+--- apparmor-2.11.orig/utils/Makefile
++++ apparmor-2.11/utils/Makefile
+@@ -24,7 +24,7 @@ PERLTOOLS = aa-notify
+ PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \
+           aa-autodep aa-audit aa-complain aa-enforce aa-disable \
+ 	  aa-status aa-unconfined
+-TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode
++TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode aa-remove-unknown
+ PYSETUP = python-tools-setup.py
+ PYMODULES = $(wildcard apparmor/*.py apparmor/rule/*.py)
+ 
+Index: apparmor-2.11/utils/aa-remove-unknown
+===================================================================
+--- /dev/null
++++ apparmor-2.11/utils/aa-remove-unknown
+@@ -0,0 +1,104 @@
++#!/bin/sh
++# ----------------------------------------------------------------------
++#    Copyright (c) 2017 Canonical Ltd. (All rights reserved)
++#
++#    This program is free software; you can redistribute it and/or
++#    modify it under the terms of version 2 of the GNU General Public
++#    License published by the Free Software Foundation.
++#
++#    This program is distributed in the hope that it will be useful,
++#    but WITHOUT ANY WARRANTY; without even the implied warranty of
++#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++#    GNU General Public License for more details.
++#
++#    You should have received a copy of the GNU General Public License
++#    along with this program. If not, see <http://www.gnu.org/licenses/>.
++# ----------------------------------------------------------------------
++
++APPARMOR_FUNCTIONS=/lib/apparmor/functions
++APPARMORFS=/sys/kernel/security/apparmor
++PROFILES_IFACE="${APPARMORFS}/profiles"
++REMOVE="${APPARMORFS}/.remove"
++
++DRY_RUN=0
++
++. $APPARMOR_FUNCTIONS
++
++usage() {
++	local progname="$1"
++	local rc="$2"
++	local msg="usage: ${progname} [options]\n
++Remove profiles unknown to the system
++
++Options:
++ -h, --help	Show this help message and exit
++ -n		Dry run; don't remove profiles"
++
++	if [ "$rc" -ne 0 ] ; then
++		echo "$msg" 1>&2
++	else
++		echo "$msg"
++	fi
++
++	exit "$rc"
++}
++
++if [ "$#" -gt 1 ] ; then
++	usage "$0" 1
++elif [ "$#" -eq 1 ] ; then
++	if [ "$1" = "-h" -o "$1" = "--help" ] ; then
++		usage "$0" 0
++	elif [ "$1" = "-n" ] ; then
++		DRY_RUN=1
++	else
++		usage "$0" 1
++	fi
++fi
++
++
++# We can't use a -r test here because while $PROFILES_IFACE is world-readable,
++# apparmorfs may still return EACCES from open()
++#
++# We have to do this check because error checking awk's getline() below is
++# tricky and, as is, results in an infinite loop when apparmorfs returns an
++# error from open().
++if ! IFS= read line < "$PROFILES_IFACE" ; then
++	echo "ERROR: Unable to read apparmorfs profiles file" 1>&2
++	exit 1
++elif [ ! -w "$REMOVE" ] ; then
++	echo "ERROR: Unable to write to apparmorfs remove file" 1>&2
++	exit 1
++fi
++
++# Clean out running profiles not associated with the current profile
++# set, excluding the libvirt dynamically generated profiles.
++aa_configured=$(mktemp -t aa-XXXXXX)
++configured_profile_names > "$aa_configured"
++if [ "$?" -ne 0 ] ; then
++	echo "ERROR: Unable to enumerate the known profiles" 1>&2
++	rm -f "$aa_configured" "$aa_loaded"
++	exit 1
++fi
++
++aa_loaded=$(mktemp -t aa-XXXXXX)
++running_profile_names > "$aa_loaded" || true
++if [ "$?" -ne 0 ] ; then
++	echo "ERROR: Unable to enumerate the running profiles" 1>&2
++	rm -f "$aa_configured" "$aa_loaded"
++	exit 1
++fi
++
++LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
++	if [ "$DRY_RUN" -ne 0 ]; then
++		echo "Would remove '${profile}'"
++	else
++		echo "Removing '${profile}'"
++		unload_profile "$profile"
++	fi
++done
++ret="$?"
++
++rm -f "$aa_configured" "$aa_loaded"
++
++# will not catch all errors, but still better than nothing
++exit $ret
+Index: apparmor-2.11/utils/aa-remove-unknown.pod
+===================================================================
+--- /dev/null
++++ apparmor-2.11/utils/aa-remove-unknown.pod
+@@ -0,0 +1,51 @@
++=pod
++
++=head1 NAME
++
++aa-remove-unknown - remove unknown AppArmor profiles
++
++=head1 SYNOPSIS
++
++B<aa-remove-unknown> [option]
++
++=head1 DESCRIPTION
++
++B<aa-remove-unknown> will inventory all profiles in /etc/apparmor.d/, compare
++that list to the profiles currently loaded into the kernel, and then remove all
++of the loaded profiles that were not found in /etc/apparmor.d/. It will also
++report the name of each profile that it removes on standard out.
++
++=head1 OPTIONS
++
++=over 4
++
++=item -h, --help
++
++displays a short usage statement.
++
++=item -n
++
++dry run; only prints the names of profiles that would be removed
++
++=back
++
++=head1 EXAMPLES
++
++  $ sudo ./aa-remove-unknown -n
++  Would remove 'test//null-/usr/bin/whoami'
++  Would remove 'test'
++
++  $ sudo ./aa-remove-unknown
++  Removing 'test//null-/usr/bin/whoami'
++  Removing 'test'
++
++=head1 BUGS
++
++None. Please report any you find to Launchpad at
++L<https://bugs.launchpad.net/apparmor/+filebug>.
++
++=head1 SEE ALSO
++
++apparmor(7)
++
++=cut

--- End Message ---

--- Begin Message ---

To: intrigeri <intrigeri@debian.org>, 858900-done@bugs.debian.org

Subject: Re: Bug#858900: unblock: apparmor/2.11.0-3

From: Niels Thykier <niels@thykier.net>

Date: Tue, 28 Mar 2017 18:52:00 +0000

Message-id: <7e677ef8-d824-68e3-52bf-4d6cd8ea7940@thykier.net>

In-reply-to: <[🔎] 149070230578.8808.6797977529572825847.reportbug@deb.localhost>

References: <[🔎] 149070230578.8808.6797977529572825847.reportbug@deb.localhost>
intrigeri:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi!
> 
> please unblock package apparmor, that fixes CVE-2017-6507
> aka. Debian bug #858768.
> 
> unblock apparmor/2.11.0-3
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#858900: unblock: apparmor/2.11.0-3
  - From: intrigeri <intrigeri@debian.org>

Prev by Date: Bug#858925: marked as done (unblock: dsdp/5.8-9.4)
Next by Date: Processed: clone a few bugs for ossl 1.1
Previous by thread: Bug#858900: unblock: apparmor/2.11.0-3
Next by thread: Bug#858907: unblock: canl-c/2.1.8-1
Index(es):
- Date
- Thread