touch-packages team mailing list archive

Thread
Date

[Bug 1432045] Re: pivot_root audit modifier ignored when oldroot and newroot specified

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1432045@xxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Mar 2015 22:11:35 -0000
Reply-to: Bug 1432045 <1432045@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package apparmor - 2.9.1-0ubuntu8

---------------
apparmor (2.9.1-0ubuntu8) vivid; urgency=medium

  [ Steve Beattie ]
  * debian/rules: run make check on the libapparmor library
  * add-chromium-browser.patch: add support for chromium policies
    (LP: #1419294)
  * debian/apparmor.{init,upstart}: add support for triggering
    aa-profile-hook runs when packages are updated via snappy system
    image updates (LP: #1434143)
  * parser-fix_modifier_compilation_+_tests.patch: fix compilation
    of audit modifiers for exec and pivot_root and deny modifiers on
    link rules as well as significantly expand related tests
    (LP: #1431717, LP: #1432045, LP: #1433829)
  * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work
    around pivot_root test failures due to init=systemd (LP: #1436109)
  * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority
    file to X abstraction (LP: #1432126)

  [ Jamie Strandboge ]
  * easyprof-framework-policy.patch: add --include-templates-dir and
    --include-policy-groups-dir options to easyprof to support framework
    policy on snappy

  [ Robie Basak ]
  * Add /lib/apparmor/profile-load; moved from
    /lib/init/apparmor-profile-load from the upstart package. A wrapper at
    the original path is now provided by init-system-helpers. (LP: #1432683)
 -- Jamie Strandboge <jamie@xxxxxxxxxx>   Sat, 28 Mar 2015 07:22:30 -0500

** Changed in: apparmor (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1432045

Title:
  pivot_root audit modifier ignored when oldroot and newroot specified

Status in AppArmor Linux application security framework:
  Confirmed
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  $ echo "/t { pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum
  422b222b6608dff7aca3420062aad3db  -
  $ echo "/t { audit pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum
  422b222b6608dff7aca3420062aad3db  -
  $ echo "/t { audit deny pivot_root oldroot=/ /a, }" | apparmor_parser -qS | md5sum
  9e598c327781b16acdab2d3e939279ec  -

  Note that the audit modifier doesn't change the binary policy file but
  the audit deny modifier does.

  Also, the binary policy file changes as expected on "audit
  pivot_root," and "audit pivot_root oldroot=/,". That is, this bug only
  seems to happen when oldroot and newroot are both specified.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1432045/+subscriptions