Bug #1298678 “Python utils lack support for pivot_root rules” : Bugs : AppArmor

Tyler Hicks (tyhicks) on 2014-03-27

Changed in apparmor (Ubuntu):
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-04-04:

#1

Download full text (3.3 KiB)

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5

---------------
apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium

* debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin,
lightdm and apparmor-easyprof-ubuntu

apparmor (2.8.95~2430-0ubuntu4) trusty; urgency=medium

  [ John Johansen, Steve Beattie ]
  * Add userspace support for AppArmor signals and ptrace mediation
    (LP: #1298611)
    + debian/patches/mediate-signals.patch,
      debian/patches/change-signal-syntax.patch: Parse signal rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/change-ptrace-syntax.patch,
      debian/patches/mediate-ptrace.patch: Parse ptrace rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/test-signal-rules.patch,
      debian/patches/test-ptrace-rules.patch,
      debian/patches/update-tests-for-new-semantics.patch: Update existing
      tests and add new tests for signal and ptrace mediation
    + debian/patches/fix-garbage-in-preprocessor-output.patch: Fix bug causing
      apparmor_parser preprocessor output to contain garbage after include
      statements
    + debian/patches/fix-double-comma-in-preprocessor-output.patch: Fix bug
      causing apparmor_parser preprocessor output to contain double commas
      after some rules
    + debian/patches/symtab-tests-and-seenlist-bug.patch,
      debian/patches/add-profile-name-variable.patch: Add ${profile_name}
      variable for use in profiles when rules need to specify the current
      profile's name. This is useful for signal and ptrace rules that specify
    + debian/patches/fix-names-treated-as-condlistid.patch: Fix
      apparmor_parser bug that caused mount and dbus rules to fail for sets of
      values

  [ Jamie Strandboge ]
  * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch:
    Adjust the base abstraction for signals and ptrace mediation. Profiles
    that use the base abstraction can deny any of the granted permissions to
    achieve tighter confinement.
  * debian/patches/manpage-signal-ptrace.patch: Update the apparmor.d man
    page to document signal rules, ptrace rules, and variables for use in
    AppArmor profiles
  * debian/patches/dnsmasq-libvirtd-signal-ptrace.patch: Update the dnsmasq
    profile to allow libvirtd to send signals to and ptrace read the dnsmasq
    process
  * debian/patches/update-chromium-browser.patch: Adjust the chromium-browser
    profile for permissions needed in newer chromium-browser versions and add
    the rules needed for AppArmor ptrace mediation

  [ Tyler Hicks ]
  * Add new rule type support to aa.py to fix tracebacks when using the Python
    utilities in apparmor-utils on systems with AppArmor profiles containing
    previously unsupported rule types
    - debian/patches/python-utils-file-support.patch: Support path rules
      containing the "file" prefix (LP: #1295346)
    - debian/patches/python-utils-signal-support.patch: Parse and write signal
      rules (LP: #1300316)
    - debian/patches/python-utils-ptrace-support.patch: Parse and write ptrace
      rules (LP: #1300317)...

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5

---------------
apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium

* debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin,
    lightdm and apparmor-easyprof-ubuntu

apparmor (2.8.95~2430-0ubuntu4) trusty; urgency=medium

[ John Johansen, Steve Beattie ]
  * Add userspace support for AppArmor signals and ptrace mediation
    (LP: #1298611)
    + debian/patches/mediate-signals.patch,
      debian/patches/change-signal-syntax.patch: Parse signal rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/change-ptrace-syntax.patch,
      debian/patches/mediate-ptrace.patch: Parse ptrace rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/test-signal-rules.patch,
      debian/patches/test-ptrace-rules.patch,
      debian/patches/update-tests-for-new-semantics.patch: Update existing
      tests and add new tests for signal and ptrace mediation
    + debian/patches/fix-garbage-in-preprocessor-output.patch: Fix bug causing
      apparmor_parser preprocessor output to contain garbage after include
      statements
    + debian/patches/fix-double-comma-in-preprocessor-output.patch: Fix bug
      causing apparmor_parser preprocessor output to contain double commas
      after some rules
    + debian/patches/symtab-tests-and-seenlist-bug.patch,
      debian/patches/add-profile-name-variable.patch: Add ${profile_name}
      variable for use in profiles when rules need to specify the current
      profile's name. This is useful for signal and ptrace rules that specify
    + debian/patches/fix-names-treated-as-condlistid.patch: Fix
      apparmor_parser bug that caused mount and dbus rules to fail for sets of
      values

[ Jamie Strandboge ]
  * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch:
    Adjust the base abstraction for signals and ptrace mediation. Profiles
    that use the base abstraction can deny any of the granted permissions to
    achieve tighter confinement.
  * debian/patches/manpage-signal-ptrace.patch: Update the apparmor.d man
    page to document signal rules, ptrace rules, and variables for use in
    AppArmor profiles
  * debian/patches/dnsmasq-libvirtd-signal-ptrace.patch: Update the dnsmasq
    profile to allow libvirtd to send signals to and ptrace read the dnsmasq
    process
  * debian/patches/update-chromium-browser.patch: Adjust the chromium-browser
    profile for permissions needed in newer chromium-browser versions and add
    the rules needed for AppArmor ptrace mediation

[ Tyler Hicks ]
  * Add new rule type support to aa.py to fix tracebacks when using the Python
    utilities in apparmor-utils on systems with AppArmor profiles containing
    previously unsupported rule types
    - debian/patches/python-utils-file-support.patch: Support path rules
      containing the "file" prefix (LP: #1295346)
    - debian/patches/python-utils-signal-support.patch: Parse and write signal
      rules (LP: #1300316)
    - debian/patches/python-utils-ptrace-support.patch: Parse and write ptrace
      rules (LP: #1300317)
    - debian/patches/python-utils-pivot_root-support.patch: Parse and write
      pivot_root rules (LP: #1298678)
 -- Jamie Strandboge <jamie@ubuntu.com>   Fri, 04 Apr 2014 01:07:24 -0500

Changed in apparmor (Ubuntu):
status:	Triaged → Fix Released

Tyler Hicks (tyhicks) on 2014-04-04

Changed in apparmor:
assignee:	nobody → Tyler Hicks (tyhicks)
Changed in apparmor (Ubuntu):
assignee:	nobody → Tyler Hicks (tyhicks)
Changed in apparmor:
status:	Triaged → In Progress

Jamie Strandboge (jdstrand) on 2014-10-10

Changed in apparmor:
milestone:	none → 2.9.0

Revision history for this message

Christian Boltz (cboltz) wrote on 2014-10-11:

#2

This bug is fixed (just tested with current bzr) - looks like nobody closed it ;-)

Changed in apparmor:
status:	In Progress → Fix Committed

Revision history for this message

Steve Beattie (sbeattie) wrote on 2014-10-17:

#3

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status:	Fix Committed → Fix Released

AppArmor

Python utils lack support for pivot_root rules

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Fix Released	Medium	Tyler Hicks	AppArmor 2.9.0
	apparmor (Ubuntu)	Fix Released	Medium	Tyler Hicks