[apparmor] [16.04 LTS]: missing /proc/$pid/{auxv, status} files (glibc's *printf protections) in base abstractions?

John Johansen john.johansen at canonical.com
Sun Apr 15 07:01:02 UTC 2018 

On 03/12/2018 11:59 AM, daniel curtis wrote:
> Hello.
> 
> I would like to ask a question about the glibc-needed files, that are
> still missing in the 'abstractions/base' file. There is a bug report
> on Launchpad reported by Mr Kees Cook on 2017-01-20 (see [1]). As we
> can see, "Status" for a Xenial release is marked as "Fix Released" in
> AppArmor v2.10.3 (please see below for a latest version available in
> 16.04 LTS)
> 
> Referring to the above information, I would like to ask if missing
> rule can be added, for example, by hand? I mean: editing
> 'abstractions/base' file and add a proper, new files etc. What do you
> think? So, if it's okay, to make such a change by hand, it should
> looks this way?
> 
yes you can change it by hand. On ubuntu it is treated as a conf file
so packaging on an update will detect you have made a change and ask
whether you want to keep your version, or the maintainers version.
Or at least create a dpkg backup file

>   # glibc's *printf protections read the maps file
> - @{PROC}/@{pid}/maps            r,
> 
>   # glibc's *printf protections read the maps file
> + @{PROC}/@{pid}/{maps,auxv,status} r,
> 
> Am I right? I'm a little confused, because on Launchpad, AppArmor
yes that would be fine

> version with fix released is v2.10.3 (released on 2017-10-19) while
> the latest version is different (see below). But maybe I'm wrong and
> everything is okay and {auxv,status} files should not be added to the
> '@{PROC}/@{pid}/' rules in a 'base' abstractions file?
> 
so while ubuntu packaging is based on the upstream tar ball, they also
provide their own patches on top

So lets break down the ubuntu version you provided

AppArmor: v2.10.95-0ubuntu2.9

v2.10.95 - is one of the apparmor 2.11 beta releases, the numbering
scheme is unfortunate but is do to wanting it to work with multiple
package managers. Anything above a .90 will indicate a beta, for the
next release.

the @ubuntu2.9 is an ubuntu specific version that they can increment
as they add patches to the ubuntu apparmor package.

Basically apparmor upstream had not done the final 2.11 release by
the time ubuntu needed to release. So they took the beta and then
added patches and fixes on top as made sense for them. That release
likely has all or almost all of the patches that went into the 2.11
release its just easier for them to inspect and gate through,
individual patches than a whole new release tar ball after freeze (or
release).


> So, what should I do? Can I add a new two files just as it's shown in
> a second rule above?
> 
yes you can.

> Thanks, best regards.
> 
> ● AppArmor: v2.10.95-0ubuntu2.9 (updated on Mon, Mar 12., 2018)
> ● Linux: v4.4.0-116-generic (4.4.98)
> 
> Thanks, best regards.
> __________________
> 1. https://bugs.launchpad.net/apparmor/+bug/1658239
>

More information about the AppArmor mailing list