pivot_root audit modifier ignored when oldroot and newroot specified

Bug #1432045 reported by Tyler Hicks
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Low
Unassigned
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

$ echo "/t { pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum
422b222b6608dff7aca3420062aad3db -
$ echo "/t { audit pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum
422b222b6608dff7aca3420062aad3db -
$ echo "/t { audit deny pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum
9e598c327781b16acdab2d3e939279ec -

Note that the audit modifier doesn't change the binary policy file but the audit deny modifier does.

Also, the binary policy file changes as expected on "audit pivot_root," and "audit pivot_root oldroot=/,". That is, this bug only seems to happen when oldroot and newroot are both specified.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Automated tests for this bug can be found here:

  https://lists.ubuntu.com/archives/apparmor/2015-March/007412.html

Tyler Hicks (tyhicks)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.1-0ubuntu8

---------------
apparmor (2.9.1-0ubuntu8) vivid; urgency=medium

  [ Steve Beattie ]
  * debian/rules: run make check on the libapparmor library
  * add-chromium-browser.patch: add support for chromium policies
    (LP: #1419294)
  * debian/apparmor.{init,upstart}: add support for triggering
    aa-profile-hook runs when packages are updated via snappy system
    image updates (LP: #1434143)
  * parser-fix_modifier_compilation_+_tests.patch: fix compilation
    of audit modifiers for exec and pivot_root and deny modifiers on
    link rules as well as significantly expand related tests
    (LP: #1431717, LP: #1432045, LP: #1433829)
  * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
    around pivot_root test failures due to init=systemd (LP: #1436109)
  * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
    file to X abstraction (LP: #1432126)

  [ Jamie Strandboge ]
  * easyprof-framework-policy.patch: add --include-templates-dir and
    --include-policy-groups-dir options to easyprof to support framework
    policy on snappy

  [ Robie Basak ]
  * Add /lib/apparmor/profile-load; moved from
    /lib/init/apparmor-profile-load from the upstart package. A wrapper at
    the original path is now provided by init-system-helpers. (LP: #1432683)
 -- Jamie Strandboge <email address hidden> Sat, 28 Mar 2015 07:22:30 -0500

Changed in apparmor (Ubuntu):
status: New → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

A fix was committed for this in AppArmor upstream in trunk revision 2901 and on the 2.9 branch in revision 2870.

Changed in apparmor:
status: Confirmed → Fix Committed
milestone: none → 2.9.2
Steve Beattie (sbeattie)
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.