Bugzilla – Bug 995594
VUL-0: CVE-2016-1585: apparmor: mount rules grant excessive permissions
Last modified: 2017-07-13 22:35:50 UTC
mount options=(rw,make-slave) -> **,
ends up allowing
mount -t proc proc /mnt
which it shouldn't as it should be restricted to commands with a make-slave flag
not sure which parser versions even allow that, its probably not in the older ones.
seems to have been introduced in 2.8 . that would make sle12 and opensuse affected.
The kernel code to handle mount rules is currently only in the Ubuntu kernel (not upstream, also not in openSUSE). Therefore I doubt we are affected because apparmor_parser will only honor mount rules if the kernel supports them.
Nevertheless I'M CC'ing John Johansen (one of the upstream developers who focuses on apparmor_parser and the AppArmor kernel code) - John, please correct me if the above is wrong ;-)
bugbot adjusting priority