SuSE Update for AppArmor SUSE-SA:2007:015

Impact
AppArmor language additions
Solution
Please Install the Updated Packages.
Insight
Two new language features have been added to improve the confinement provided to applications executing other applications will confined by AppArmor. - Two new execute modifiers: 'P' and 'U' are provided and are flavors of the existing 'p' and 'u' modifiers but indicate that the environment should be stripped across the execute transition. Using &quot Ux&quot and &quot Px&quot avoids injecting code using LD_PRELOAD and similar variables into the started executables by a infected profiled program. The environment variable filtering is the same as used for setuid applications. - A new permission 'm' is required when an application executes mmap(2) with protection PROT_EXEC. This avoids infected binaries escalating the &quot r&quot privilege to a file into a &quot rx&quot privilege. Note that both issues are not directly security fixes, they instead avoid common problems during profile creation. These changes also require a new kernel, which we released in December 2006, tracked by our advisory SUSE-SA:2006:079. Only SUSE Linux Enterprise Server 9 (and related products) and SUSE Linux 10.0 are affected by this change. SUSE Linux 10.1, SUSE Linux Enterprise 10 and newer products already contain the new profile syntax and behavior.
Affected
AppArmor on SUSE SLES 9, Novell Linux Desktop 9, Open Enterprise Server, Novell Linux POS 9
References