Ubuntu
apparmor package

AppArmor profile transition changes required by Linux kernel fix for CVE-2019-11190

Bug #1830802 reported by Tyler Hicks
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

* As discussed in bug #1628745, the following kernel commit changes
  AppArmor mediation behavior on exec transitions:

   commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
   Author: Linus Torvalds <email address hidden>
   Date: Mon Aug 22 16:41:46 2016 -0700

       binfmt_elf: switch to new creds when switching to new mm

* This change made its way into the Xenial kernel that's currently in
  xenial-proposed (4.4.0-149.175-generic) as it fixes CVE-2019-11190.

* jdstrand identified a couple missing fixes that are needed from the
  AppArmor tree:

  d8278f51ecb3c736d697fa367faf99457210a7d8
  7a49f37c2481f761f8304712aa380acddfdb6303

[Test Case]

For the dnsmasq change in apparmor-profiles,

1) Install libvirt-bin and apparmor-profiles
2) Install linux 4.4.0-149.175 from xenial-proposed
3) Reboot
4) Ensure that there is *NOT* an ALLOWED message like this:

 $ dmesg | grep ALLOWED
 apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/dnsmasq//libvirt_leaseshelper" name="/usr/lib/libvirt/libvirt_leaseshelper" pid=1533 comm="libvirt_leasesh" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Note that you can retrigger the operations that trigger this AppArmor
message by running the following command:

 $ sudo virsh net-destroy default && sudo virsh net-start default

For the aa.py change in apparmor-utils,

1) Install apparmor-utils
2) Create a file named test.log containing the following denial:

[13622.935258] audit: type=1400 audit(1559071991.542:67): apparmor="DENIED" operation="exec" profile="xargs" name="/bin/echo" pid=2950 comm="xargs" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

3) Run the following command:

 $ sudo aa-logprof -f test.log

4) You'll be prompted to make a decision on what to do about the
   /bin/echo execute denial. Press (I)nherit.

5) Now press (V)iew Changes. Ensure that the 'm' permission is included
   in the added line:

   + /bin/echo mrix,

[Regression Potential]

The dnsmasq profile change adds permissions to the child profile.
There's really no chance of regression involved there.

The aa.py change adds the 'm' permission to the allowed permissions of a
binary on ix transitions. While there is a code change involved, it is a
small change and the resulting profile output involved no risk of
regression.

See original description

CVE References

Tyler Hicks (tyhicks)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.11

---------------
apparmor (2.10.95-0ubuntu2.11) xenial-security; urgency=medium

  * Make dnsmasq profile and Python utility changes necessary to continue
    working correctly after the Linux kernel change to address CVE-2019-11190.
    Without these changes, some profile transitions may be unintentionally
    denied. (LP: #1830802)
    - 0001-dnsmasq-allow-libvirt_leaseshelper-m-permission-on-i.patch
    - 0001-handle_children-automatically-add-m-permissions-on-i.patch

 -- Tyler Hicks <email address hidden> Tue, 28 May 2019 21:33:21 +0000

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.