File apparmor-parser-preserve-unknown-profiles-when-restarting.diff of Package apparmor.9786

commit 036726657294ac349d927a0c3f85184f23d80661
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Fri Mar 24 05:06:07 2017 +0000
References: bsc#1029696
    parser: Preserve unknown profiles when restarting apparmor init/job/unit
    
    CVE-2017-6507
    
    https://launchpad.net/bugs/1668892
    
    The common AppArmor 'restart' code used by some init scripts, upstart
    jobs, and/or systemd units contained functionality that is no longer
    appropriate to retain. Any profiles not found /etc/apparmor.d/ were
    assumed to be obsolete and were unloaded. That behavior became
    problematic now that there's a growing number of projects that maintain
    their own internal set of AppArmor profiles outside of /etc/apparmor.d/.
    It resulted in the AppArmor 'restart' code leaving some important
    processes running unconfined. A couple examples are profiles managed by
    LXD and Docker.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Acked-by: Seth Arnold <seth.arnold@canonical.com>
    Acked-by: John Johansen <john.johansen@canonical.com>

diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions
index ecff317..d8907ec 100644
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -451,34 +451,7 @@ __apparmor_restart() {
 
 	configure_owlsm
 	parse_profiles reload
-	# Clean out running profiles not associated with the current profile
-	# set, excluding the libvirt dynamically generated profiles.
-	# Note that we reverse sort the list of profiles to remove to
-	# ensure that child profiles (e.g. hats) are removed before the
-	# parent. We *do* need to remove the child profile and not rely
-	# on removing the parent profile when the profile has had its
-	# child profile names changed.
-	profiles_names_list | awk '
-BEGIN {
-  while (getline < "'${SFS_MOUNTPOINT}'/profiles" ) {
-    str = sub(/ \((enforce|complain)\)$/, "", $0);
-    if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0)
-      arr[$str] = $str
-  }
-}
-
-{ if (length(arr[$0]) > 0) { delete arr[$0] } }
 
-END {
-  for (key in arr)
-    if (length(arr[key]) > 0) {
-      printf("%s\n", arr[key])
-    }
-}
-' | LC_COLLATE=C sort -r | while IFS= read profile ; do
-		echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
-	done
-	# will not catch all errors, but still better than nothing
 	rc=$?
 	aa_log_end_msg $rc
 	return $rc