AppArmor two-stage policy load is undocumented
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apparmor (Ubuntu) |
Fix Released
|
Medium
|
Steve Beattie | ||
| Precise |
Fix Released
|
Medium
|
Steve Beattie | ||
Bug Description
AppArmor is loaded to late in the boot process. Manually generated profiles by security oriented admins are activated after the daemons are started. The daemons run unconfined. This is a security vulnerability because the admin apparently has no way of activating the profile.
This can be resolved for many network services using the network-
Please update the documentation and explain this feature.
Scenario:
1. Admin generates profile for vsftpd
2. Admin reboots the system
3. Vsftpd is started
4. AppArmor is loaded via sys-v-support
5. Vsftpd is unconfined because AppArmor is loaded to late.
Solution:
Link the vsftpd Apparmor profile to /etc/apparmor/
ln -s /etc/apparmor.
This needs to be documented!
See also bug https:/
Applies to Ubuntu 12.04 with apparmor 2.7.102-0ubuntu2
Status changed to 'Confirmed' because the bug affects multiple users.
Currently AppArmor's profile load is not done via upstart for various reasons see https:/
Instead if the daemon has been switched to upstart profile load can be made dependent there as is done with /etc/init/
Instead of forcing all profiles to be loaded early which could affect boot speed, Ubuntu has opted to provide a split profile load (which does not seem to be documented atm) that will load some profiles early and the full profile set later in the boot sequence. To force a profile to be loaded early a symlink is dropped in
/etc/
see
/etc/
as an example. As long as the profile cache is built adding all profiles should not significantly impact boot performance
Ok. I understand that. But I think this needs to be documented prominently either in the wiki or the apparmor package. Without any documentation the admin generating his own profiles does not know how to handle the situation.
Agreed, documentation is being written. Both a patch for the apparmor (7) man page and for the wiki
Attached is a patch to adjust the apparmor(5) man page to (finally) document this.
+ AppArmor two-stage policy load is undocumented
- 0007-ubuntu-manpage-updates.patch Edit (3.4 KiB, text/plain)
This has been committed to ~ubuntu-
removed: security
Opps, of course I meant apaprmor(7), not apparmor(5).
This bug was fixed in the package apparmor - 2.7.102-0ubuntu3
---------------
apparmor (2.7.102-0ubuntu3) precise; urgency=low
[ Jamie Strandboge ]
* debian/
to describe Ubuntu's two-stage policy load and how to add utilize it
when developing policy (LP: #974089)
[ Serge Hallyn ]
* debian/
removed once stacked profiles are supported and used by lxc.
(LP: #978297)
[ Steve Beattie ]
* debian/
for change_profile onexec (LP: #963756)
* debian/
debian/
to support the 'in' keyword for value lists, and make mount
operations aware of 'in' keyword so they can affect the flags build
list (LP: #959560)
* debian/
exec events in complain mode (LP: #872446)
* debian/
dovecot imap-login profile (LP: #978584)
* debian/
log parsing library from dropping apparmor network events that
contain ip addresses or ports in them (LP: #800826)
* debian/
syntax and usage in apparmor.d(5) manpage (LP: #979095)
* debian/
for profiles without attachment specification (LP: #963756,
LP: #978038)
* debian/
loading policy to kernels without compat patches (LP: #968956)
* debian/
grant access to /proc/attr api (LP: #979135)
-- Steve Beattie <email address hidden> 2012年4月12日 06:17:42 -0500