ACK/Cmt: [SRU][P][PATCH v3 0/1] kernel panic when reloading apparmor 5.0.0 profiles

Thibault Ferrante thibault.ferrante at canonical.com
Wed Aug 13 09:11:44 UTC 2025 



On 13/08/2025 09:56, Mehmet Basaran wrote:
> SRU Justification:
Missing the buglink in the coverletter:

BugLink: https://bugs.launchpad.net/bugs/2120233> 
> [Impact]
> 
> Profile loads containing the attach_disconnected.path policy flag can cause the kernel to panic if such a profile is loaded into the kernel and subsequently replaced or removed.
> 
> [Fix]
> 
> Apply attached patch
> UBUNTU: SAUCE: apparmor5.0.0 [94/93]: apparmor: prevent pro file->disconnected double free in aa_free_profile
> 
> [Test Plan]
> 
> download attached file trigger-lp2120233.profile and run the following script.
> The loop is not necessarily needed to trigger the bug, it will often trigger
> immediately. However because it is a double free, unless memory debugging is enable it may not trigger immediately. Looping however can reliably trigger it.
> 
> for i in 1 2 3 4 5; do ;
>     sudo apparmor_parser -r trigger-lp2120233.profile
>     sudo apparmor_parser -R trigger-lp2120233.profile
> done
> 
> The apparmor_parser -R step will trigger the a kernel ops/panic. If the kernel is patched there shouldn't be an oops.
> 
> [Where problems could occur]
> 
> The bug can be triggered by any action that replaces a profile with the
> attach_disconnected.path policy flag. Currently this would be:
> - the lsof profile in apparmor 5.0
> - custom created profiles containing the attach_disconnected.path policy flag.
> 
> Once a profile with the above flag is set. Any action causing profile replacement/removal of the profile will trigger the bug. This includes
> 
> - manually replacing/removing profiles via the apparmor_parser
> - systemctl restart apparmor
> - upgrading apparmor_5.0.0~alpha1-0ubuntu1 to an apparmor_package that is
>     not aware of the issue.
> - release upgrading between plucky & questing if a profile with the problematic attach_disconnected.path policy flag has been loaded (not the case with default policy).
> - running the qa-regression-testing suit
> 
> [Other Info]
> 
> Installing, or upgrading the kernel should not cause the bug to trigger.
> 
> Shutting down, or reboot the system should not trigger the bug because apparmor does not unload profiles during systemctl stop apparmor.
> 
> This bug can be triggered by the qa-regression-testing suit. If a profile containing attach_disconnected.path is present in /etc/apparmor.d/ even when the profile is disabled because the qa-regression-testing suit will attempt to enable and test all disabled profiles.
> 
> There is a separate fix being applied to qa-regression-testing to ensure it doesn't trigger this bug.
> 
> Originally John Johansen <john.johansen at canonical.com> sent this patch.
> 
> Mehmet Basaran (1):
>    UBUNTU: SAUCE: apparmor5.0.0 [94/93]: apparmor: prevent
>      profile->disconnected double free in aa_free_profile
> 
>   security/apparmor/policy.c | 9 ++++++++-
>   1 file changed, 8 insertions(+), 1 deletion(-)
> 
> --
> 2.43.0
> 

Acked-by: Thibault Ferrante <thibault.ferrante at canonical.com>

More information about the kernel-team mailing list