Ubuntu
apparmor package

[SRU] AppArmor on Hardy Interferes with glibc Access to /proc/self/maps

Bug #668479 reported by nutznboltz
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned
Hardy
Fix Released
Low
Unassigned

Bug Description

Binary package hint: apparmor

Impact: Lack of a single AppArmor base profile rule renders glibc unable to perform functions on Hardy that are available on Lucid.
Addressed: apparmor 2.5-0ubuntu3 (on Lucid) possibly earlier too.
Patch: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/668479/+attachment/1716210/+files/apparmor_2.1%2B1075-0ubuntu9.3.debdiff
Reproducing: trapping a segfault fails; see http://ubuntuforums.org/showthread.php?p=10043474
Regression potential: none known

Attempt to catch a SIGSEGV inside OpenLDAP on Hardy results in an AppArmor error message instead:

2010-09-28T16:41:23-04:00 molybdenum kernel 05 [kern.notice] kernel: [15908266.232011]
 audit(1285706483.638:69): type=1503 operation="inode_permission" requested_mask="::r"
 denied_mask="::r" name="/proc/22022/maps" pid=22038 profile="/usr/sbin/slapd"
 namespace="default"

ProblemType: Bug
Architecture: amd64
Date: Fri Oct 29 14:48:20 2010
DistroRelease: Ubuntu 8.04
Package: apparmor 2.1+1075-0ubuntu9.2
PackageArchitecture: amd64
ProcEnviron:
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: apparmor
Uname: Linux 2.6.24-28-generic x86_64

See original description
Revision history for this message
nutznboltz (nutznboltz-deactivatedaccount) wrote :
Revision history for this message
nutznboltz (nutznboltz-deactivatedaccount) wrote :

debdiff with the missing AppArmor base profile rule added.

Revision history for this message
nutznboltz (nutznboltz-deactivatedaccount) wrote :

debdiff with the missing AppArmor base profile rule added.

description: updated
description: updated
Changed in apparmor (Ubuntu):
status: New → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report! It may be possible to have this fix be SRUed into Hardy, since it was fixed in later releases. Please follow the SRU instructions: https://wiki.ubuntu.com/StableReleaseUpdates

Changed in apparmor (Ubuntu Hardy):
status: New → Triaged
importance: Undecided → Low
Revision history for this message
nutznboltz (nutznboltz-deactivatedaccount) wrote :

@Kees Cook - The https://wiki.ubuntu.com/StableReleaseUpdates#Examples section only offers a single example of how the SRU process works for a package in main.

That example is LP #173082

Does LP #173082 actually fulfill all the requirements listed in https://wiki.ubuntu.com/StableReleaseUpdates#Procedure ?

I don't think so.

So what bug would actually make a good example of how the SRU process works for a main package?

nutznboltz (nutznboltz-deactivatedaccount)
description: updated
Marc Deslauriers (mdeslaur)
summary: - AppArmor on Hardy Interferes with glibc Access to /proc/self/maps
+ [SRU] AppArmor on Hardy Interferes with glibc Access to /proc/self/maps
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff!

SRU Request:

Impact: The Apparmor profile in hardy lacks the necessary permissions for segfault handlers which results in difficulties when trying to see why certain applications have failed.

This has been addressed in the attached debdiff by adding the same apparmor rule that was added to later Ubuntu releases.

Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted apparmor into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in apparmor (Ubuntu Hardy):
status: Triaged → Fix Committed
tags: added: verification-needed
Revision history for this message
Martin Pitt (pitti) wrote :

Any testers?

Revision history for this message
Martin Pitt (pitti) wrote :

Any testers of the lucid-proposed package? As this has been in -proposed for a long time already, I'll remove the proposed package soon if there is no feedback. Thank you!

Revision history for this message
nutznboltz (nutznboltz-deactivatedaccount) wrote :

What lucid-proposed package?

Revision history for this message
nutznboltz (nutznboltz-deactivatedaccount) wrote :

FWIW I've been running with the modified /etc/apparmor.d/abstractions/base since Oct 29, 2010 on a busy Ubuntu 8.04 OpenLDAP server.

Kees Cook (kees)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.1+1075-0ubuntu9.3

---------------
apparmor (2.1+1075-0ubuntu9.3) hardy-proposed; urgency=low

  * abstractions/base: backport the rule that allows /proc/*/maps
    so that libc6 catch_segfault() can read them and because
    other glibc *printf protections read the maps file too.
    (LP: #668479)
 -- Ken Stailey <email address hidden> Tue, 29 Oct 2010 14:14:14 -0400

Changed in apparmor (Ubuntu Hardy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.