[pkg-apparmor] Bug#858768: apparmor: CVE-2017-6507

Mon Mar 27 21:04:33 UTC 2017

Control: found -1 2.7.103-4
Control: notfound -1 2.9.0-3

Here's some more information about that security issue that I could
gleam from testing and other sources.

To reproduce this in wheezy, you first need to install apparmor:

apt-get install apparmor apparmor-profiles
sed -i -e 's/GRUB_CMDLINE_LINUX_DEFAULT="/&security=apparmor /' /etc/default/grub
update-grub
reboot
# check that apparmor is running
sudo service apparmor status

then you can use the reproducer provided here:

https://bugs.launchpad.net/apparmor/+bug/1668892/comments/12

which is, basically:

$ echo "profile test {}" | sudo apparmor_parser -qr
$ sudo grep "test (enforce)" /sys/kernel/security/apparmor/profiles
test (enforce)
$ sudo service apparmor restart
$ sudo grep "test (enforce)" /sys/kernel/security/apparmor/profiles

The above is an edited quote from a wheezy system, which shows wheezy is
vulnerable.

Jessie, on the other hand, does not seem to be vulnerable:

root at jessie:/home/vagrant# echo "profile test {}" | sudo apparmor_parser -qr
root at jessie:/home/vagrant# grep "test (enforce)" /sys/kernel/security/apparmor/profiles
test (enforce)
root at jessie:/home/vagrant# service apparmor restart
root at jessie:/home/vagrant# grep "test (enforce)" /sys/kernel/security/apparmor/profiles
test (enforce)
root at jessie:/home/vagrant# 

It is unclear why wheezy is affected and not jessie.

This issue, however, takes effect only when Apparmor is actually in use
by third-party, non-default rules. This is the case for dynamic rules
loaded by Docker and LXC, for example.

I am not sure Docker is really supported in Debian. The Docker.io
package is badly out of shape and is not in testing anymore. It has 7
opened RC bugs there. It's not in stable and the backport is out of
date, so the impact for docker is limited. Besides, if anyone is
trusting Docker to contain execution, they are probably mistaken
anyways.

LXC, however, is in Debian, all the way back into Wheezy, so it's more
of a concern. The impact here is that people running VMs under LXC would
lose any sort of isolation as soon as apparmor is restarted, either
through a package upgrade or an operator manipulation.

However, according to Wikipedia, kernels before 3.8 do not allow for
proper isolation, and a root user in a LXC could escape into the host,
as root:

    https://en.wikipedia.org/wiki/LXC#Security

This makes the impact of this issue somewhat limited on wheezy, as
there are already other more nasty ways to escape those old and insecure
LXC restrictions. I would be ready to assume that no one runs LXC under
wheezy and assume proper isolation.

Jessie, however, does ship with a kernel newer than 3.8 (3.16) and a 1.0
LXC which is supposed to offer good isolation protection, although it's
not clear to me that the Debian configuration actually does offer this.

I will therefore mark the issue as <no-dsa> (Experimental/unsupported
feature) in wheezy, and recommend to mark the issue as "<not-affected>
(?)" in jessie once my tests are confirmed by a third-party.

A.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20170327/12d1f7a4/attachment.sig>