Bug 995594 (CVE-2016-1585) - VUL-0: CVE-2016-1585: apparmor: mount rules grant excessive permissions
Summary: VUL-0: CVE-2016-1585: apparmor: mount rules grant excessive permissions
Status: RESOLVED INVALID
Alias: CVE-2016-1585
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Goldwyn Rodrigues
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/172158/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-25 14:40 UTC by Marcus Meissner
Modified: 2017-07-13 22:35 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-08-25 14:40:26 UTC 
CVE-2016-1585

The rule
  mount options=(rw,make-slave) -> **,

ends up allowing
  mount -t proc proc /mnt

which it shouldn't as it should be restricted to commands with a make-slave flag

References:
https://bugs.launchpad.net/apparmor/%2Bbug/1597017
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1585
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1585.html
Comment 1 Marcus Meissner 2016-08-25 14:41:22 UTC 
not sure which parser versions even allow that, its probably not in the older ones.
Comment 2 Marcus Meissner 2016-08-25 14:46:14 UTC 
seems to have been introduced in 2.8 . that would make sle12 and opensuse affected.
Comment 3 Christian Boltz 2016-08-25 15:51:36 UTC 
The kernel code to handle mount rules is currently only in the Ubuntu kernel (not upstream, also not in openSUSE). Therefore I doubt we are affected because apparmor_parser will only honor mount rules if the kernel supports them.

Nevertheless I'M CC'ing John Johansen (one of the upstream developers who focuses on apparmor_parser and the AppArmor kernel code) - John, please correct me if the above is wrong ;-)
Comment 4 Swamp Workflow Management 2016-08-25 22:00:24 UTC 
bugbot adjusting priority
Comment 5 Johannes Segitz 2017-07-13 15:21:17 UTC 
.