touch-packages team mailing list archive

Thread
Date
[Bug 1350673] Re: System policy cache may become stale after a system image update

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1350673@xxxxxxxxxxxxxxxxxx>
Date: Tue, 09 Sep 2014 04:10:56 -0000
Reply-to: Bug 1350673 <1350673@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package apparmor - 2.8.96~2652-0ubuntu3

---------------
apparmor (2.8.96~2652-0ubuntu3) utopic; urgency=medium

  * 08-phpsysinfo-policy-updates.patch: update for new phpsysinfo on Ubuntu
    14.10
  * 09-apache2-policy-instructions.patch: update for recent Debian/Ubuntu
    packaging
  * debian/control: update Breaks for apparmor-easyprof-ubuntu, libvirt-bin,
    and lightdm. Add Breaks on rsyslog.

apparmor (2.8.96~2652-0ubuntu2) utopic; urgency=medium

  * 07-parser-fix_local_perms.patch: do not output local permissions for rules
    that have peer_conditionals. Patch from John Johansen

apparmor (2.8.96~2652-0ubuntu1) utopic; urgency=medium

  * Updated to r2652 snapshot of 2.8.96 (LP: #1362199, LP: #1341152)

  [ Steve Beattie ]
  * removed upstreamed patches:
    - dnsmasq-libvirtd-signal-ptrace.patch
    - update-base-abstraction-for-signals-and-ptrace.patch
    - update-nameservice-abstraction-for-extrausers.patch
  - debian/apparmor-profiles.install: dropped program-chunks/postfix-common,
    moved to abstractions/ and covered by apparmor.install
  - refreshed libapparmor-layout-deb.patch patch
  * Add in Tyler Hicks' regression test improvements:
    - 01-tests-unix_socket_lists.patch,
    - 02-tests-accept_unix_rules_in_mkprofile.patch,
    - 03-tests-unix_sockets_v7_pathnames.patch,
    - 04-tests-migrate_from_poll_to_sockio_timeout.patch,
    - 05-tests-add_abstract_socket_tests.patch,
  * 07-parser-fix_local_perms.patch: do not output local permissions
    for rules that have peer_conditionals

  [ Jamie Strandboge ]
  * add-chromium-browser.patch: update for unix socket mediation
  * drop-peer_addr-with-local-addr-in-base.patch: don't use peer=(addr=none)
    with getattr, getopt, setopt and shutdown

  [ Tyler Hicks ]
  * debian/lib/apparmor/functions, debian/apparmor.init,
    debian/apparmor.upstart: Ensure system policy cache cannot become stale
    after image based upgrades that update the system profiles (LP: #1350673)
  * parser-include-usr-share-apparmor.patch, debian/apparmor.install: Adjust
    the default parser.conf file, to add /usr/share/apparmor as an additional
    search path when resolving include directives in profiles, and install the
    file in /etc/apparmor. Ubuntu places hardware specific access rules in
    /usr/share/apparmor/hardware. This change allows these files to be
    included without using an absolute path (e.g.,
    '#include <hardware/graphics.d>').
 -- Jamie Strandboge <jamie@xxxxxxxxxx>   Mon, 08 Sep 2014 16:13:10 -0500

** Changed in: apparmor (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1350673

Title:
  System policy cache may become stale after a system image update

Status in “apparmor” package in Ubuntu:
  Fix Released

Bug description:
  The system policy cache, in /etc/apparmor.d/cache, may become stale if
  a certain sequence of events occur at the correct time.

  1. Ubuntu developer modifies a profile and uploads a new apparmor package
  2. New apparmor package, with an updated profile, is used to build a new system image
  3. System policy cache on user's system gets regenerated
  4. User applies image update

  After 4), the timestamps on the files in the user's system policy
  cache will be newer than the timestamps on system profiles. The parser
  will not be able to detect that it ought to regenerate the policy
  cache so it will load the cached, but stale, binary policies.

  This can result in unexpected AppArmor denials if, for example, the
  apparmor package update loosens the confinement. On the flip side, it
  can result in a looser than expected confinement if the update further
  restricts confinement.

  The fix is to update the apparmor.conf upstart job to call
  clear_cache() if the apparmor package has been updated since the last
  time the job was invoked.

  Additionally, we may want to update the parser itself to manually set
  the mtime of a generate binary cache file to the earliest mtime seen
  while compiling the profile (this includes the mtime of the profile
  itself as well as any #include's).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1350673/+subscriptions
References

[Bug 1350673] [NEW] System policy cache may become stale after a system image update
From: Tyler Hicks, 2014-07-31