Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
apparmor
apparmor-parser-preserve-unknown-profiles-when-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apparmor-parser-preserve-unknown-profiles-when-restarting.diff of Package apparmor
commit 036726657294ac349d927a0c3f85184f23d80661 Author: Tyler Hicks <tyhicks@canonical.com> Date: Fri Mar 24 05:06:07 2017 +0000 References: bsc#1029696 parser: Preserve unknown profiles when restarting apparmor init/job/unit CVE-2017-6507 https://launchpad.net/bugs/1668892 The common AppArmor 'restart' code used by some init scripts, upstart jobs, and/or systemd units contained functionality that is no longer appropriate to retain. Any profiles not found /etc/apparmor.d/ were assumed to be obsolete and were unloaded. That behavior became problematic now that there's a growing number of projects that maintain their own internal set of AppArmor profiles outside of /etc/apparmor.d/. It resulted in the AppArmor 'restart' code leaving some important processes running unconfined. A couple examples are profiles managed by LXD and Docker. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions index ecff317..d8907ec 100644 --- a/parser/rc.apparmor.functions +++ b/parser/rc.apparmor.functions @@ -451,34 +451,7 @@ __apparmor_restart() { configure_owlsm parse_profiles reload - # Clean out running profiles not associated with the current profile - # set, excluding the libvirt dynamically generated profiles. - # Note that we reverse sort the list of profiles to remove to - # ensure that child profiles (e.g. hats) are removed before the - # parent. We *do* need to remove the child profile and not rely - # on removing the parent profile when the profile has had its - # child profile names changed. - profiles_names_list | awk ' -BEGIN { - while (getline < "'${SFS_MOUNTPOINT}'/profiles" ) { - str = sub(/ \((enforce|complain)\)$/, "", $0); - if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0) - arr[$str] = $str - } -} - -{ if (length(arr[$0]) > 0) { delete arr[$0] } } -END { - for (key in arr) - if (length(arr[key]) > 0) { - printf("%s\n", arr[key]) - } -} -' | LC_COLLATE=C sort -r | while IFS= read profile ; do - echo -n "$profile" > "$SFS_MOUNTPOINT/.remove" - done - # will not catch all errors, but still better than nothing rc=$? aa_log_end_msg $rc return $rc
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor