Ubuntu
mysql-dfsg-5.1 package

[SRU] upstart script does not load AppArmor profile

Bug #573206 reported by Kees Cook
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
mysql-dfsg-5.1 (Ubuntu)
Fix Released
High
Chuck Short
Lucid
Fix Released
High
Chuck Short
Ubuntu lucid-updates
Maverick
Fix Released
High
Chuck Short

Bug Description

mysql is starting before apparmor, so it must load the apparmor profile on its own. On a fresh Lucid install with mysql, aa-status will report:

1 processes are unconfined but have a profile defined.
   /usr/sbin/mysqld (1346)

Kees Cook (kees)
Changed in mysql-dfsg-5.1 (Ubuntu):
milestone: none → lucid-updates
Changed in mysql-dfsg-5.1 (Ubuntu Maverick):
milestone: lucid-updates → none
Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
milestone: none → lucid-updates
status: New → Confirmed
Changed in mysql-dfsg-5.1 (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → High
Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
importance: Undecided → High
Revision history for this message
Kees Cook (kees) wrote :

The following should fix it...

Chuck Short (zulcss)
summary: - upstart script does not load AppArmor profile
+ [SRU] upstart script does not load AppArmor profile
Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
assignee: nobody → Chuck Short (zulcss)
Changed in mysql-dfsg-5.1 (Ubuntu Maverick):
assignee: nobody → Chuck Short (zulcss)
Revision history for this message
Chuck Short (zulcss) wrote :

Statement of Impact:

Mysql that was shipped with lucid is currently running unconfined. This is due apparmor has not been converted to upstart yet, however mysql has.

How this bug has been addressed:

apparmor has been enabled in the init script. There should be no regressions with this change.

How to reproduce:

1. Start mysql server.
2. Check to see if the profile has been enforced: aa-status

There should be no regressions with this change.

Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
assignee: Chuck Short (zulcss) → nobody
assignee: nobody → Chuck Short (zulcss)
Revision history for this message
Martin Pitt (pitti) wrote :

Two questions:

 * Did we ship the same AppArmor rules in Karmic, or were they changed/tightened during lucid? In the latter case, this would be quite an extensive change, since Lucid hasn't been tested with AppArmor protection for MySQL.

 * Does the command actually enable AA protection for mysql already, or just causes the later startup of AA to actually retroactively protect the running daemon?

Revision history for this message
Chuck Short (zulcss) wrote :

Yes we did have AppArmor rules in karmic, and I aware of one change during lucid to the apparmor rules. For the second question, I am not sure.

chuck

Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted mysql-dfsg-5.1 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
status: Confirmed → Fix Committed
tags: added: verification-needed
Revision history for this message
Chuck Short (zulcss) wrote :

Before update:

chuck@lucid-test:~$ sudo aa-status
[sudo] password for chuck:
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /sbin/dhclient3
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
1 processes are in enforce mode :
   /sbin/dhclient3 (810)
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
   /usr/sbin/mysqld (628)

After update:
chuck@lucid-test:~$ sudo aa-status
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /sbin/dhclient3
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode :
   /sbin/dhclient3 (810)
   /usr/sbin/mysqld (2126)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined

Revision history for this message
Chuck Short (zulcss) wrote :

Before update:

chuck@lucid-test:~$ sudo aa-status
[sudo] password for chuck:
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /sbin/dhclient3
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
1 processes are in enforce mode :
   /sbin/dhclient3 (810)
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
   /usr/sbin/mysqld (628)

After update:
chuck@lucid-test:~$ sudo aa-status
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   /sbin/dhclient3
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode :
   /sbin/dhclient3 (810)
   /usr/sbin/mysqld (2126)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Revision history for this message
Chuck Short (zulcss) wrote :

Gah...yes this fixes the problem.

chuck

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.1 - 5.1.41-3ubuntu12.1

---------------
mysql-dfsg-5.1 (5.1.41-3ubuntu12.1) lucid-proposed; urgency=low

  * debian/mysql-server-5.1.mysql.upstart: load AppArmor profile since
    mysql can start before AppArmor now (LP: #573206).
 -- Kees Cook <email address hidden> Sat, 01 May 2010 12:06:10 -0700

Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Copied to maverick.

Changed in mysql-dfsg-5.1 (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
status: Fix Released → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mysql-dfsg-5.1 - 5.1.41-3ubuntu12.1

---------------
mysql-dfsg-5.1 (5.1.41-3ubuntu12.1) lucid-proposed; urgency=low

  * debian/mysql-server-5.1.mysql.upstart: load AppArmor profile since
    mysql can start before AppArmor now (LP: #573206).
 -- Kees Cook <email address hidden> Sat, 01 May 2010 12:06:10 -0700

Changed in mysql-dfsg-5.1 (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.