Upcoming AppArmor Security update for CVE-2016-1585

When mediation of mount syscall operations was added to AppArmor, the translation of written policy into data structures for use by the Linux kernel to enforce mount restrictions was flawed, resulting in looser permissions than was intended by policy. This could possibly allow an attacker to bypass AppArmor restrictions in a confined application where some mount operations were permitted; policies that do not allow any mount operations are not affected. This issue was assigned CVE-2016-1585.

We will be addressing this issue with a security update for the AppArmor userspace utilities for Ubuntu 22.04 LTS (jammy) and Ubuntu 20.04 LTS (focal) that perform this translation of policy. However, because this will result in existing policies that make use of mount permissions being enforced more strictly, this may result in applications confined by such policies to be prevented from performing mount operations that they previously were allowed to do. Most applications confined by AppArmor do not need to perform mount operations and as such, their policies will not contain any rules allowing mount operations and are thus unaffected by this issue. However, this update may have a particular impact on container managers where mount policies are commonly used. Therefore we will be making this update available for testing in the proposed pockets for each affected release so that they are available for testing in environments where mount permissions are used in AppArmor policy.

Versions in the Ubuntu proposed pockets:

To install the apparmor package for testing, enable the appropriate proposed archive (jammy-proposed or focal-proposed), update your apt metadata information, and then do:

apt install apparmor/jammy-proposed


apt install apparmor/focal-proposed

as appropriate.

Identifying potential affected AppArmor policies

AppArmor rules that might be affected begin with the keyword mount and some options (a bare mount keyword allows all mount operations in the policy); an example rule might look like:

  mount options=(rw,make-shared) -> **,

Searching for the mount keyword in /etc/apparmor.d/ can be helpful in identifying which applications might be affected. Please see the “Mount Rules” section in the apparmor.d(5) man
for more details about mount policy rules and their syntax.

Running typical applications with the fixed AppArmor may turn up new AppArmor denials with the tighter policy generation; these rejections will show up either in the system logs or if the audit daemon is used, in audit logs.

Mount operation denial examples

An example of a new mount failure occurring when an instance of the virtual proc file system is prevented from being mounted on /tmp/mountpoint/:

Example command:

mount -t proc proc /tmp/mountpoint

Example denial log entry:

audit: type=1400 audit(1712821125.380:3499): apparmor="DENIED" operation="mount" info="failed perms check" error=-13 \
profile="an_application_profile" name="/tmp/mountpoint/" pid=84181 comm="mount" fstype="proc" srcname="proc"

This could be addressed by adding the following rule to the AppArmor policy:

  mount fstype=proc -> /tmp/mountpoint/,

Do note that the trailing / is necessary when referring to the mount point directory.

Another example denial when attempting to bind mount a directory /var/application/data/ to an alternate location, /tmp/mountpoint/:

Example command:

mount -o rw,bind /var/application/data/ /tmp/mountpoint

Example denial log entry:

AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="an_application_profile" \
name="/tmp/mountpoint/" pid=229722 comm="mount" srcname="/var/application/data/" flags="rw, bind"

Possible AppArmor policy rule:

  mount options=(rw,bind) /var/application/data/ -> /tmp/mountpoint/,

These are the type of log events that would indicate the policy needs to be updated. The policy must be reloaded before it will apply. Use apparmor_parser --replace for this, either individual policies with:

apparmor_parser --replace /etc/apparmor.d/an_application_profile

or all profiles in this directory with:

apparmor_parser --replace /etc/apparmor.d/

Timeline and Feedback

The apparmor packages are expected to be published to the security pockets during the week of April 22nd. Feedback is appreciated, either on this post or on the related bug report (LP: #1597017).