Re: [PATCH V3] apparmor: support ptrace checks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Guido and everybody else,
Ubuntu had the feature that went into 4.13 for quite a while so I looked into dropping our rules in favor of the upstream ones.
While doing so I found something yet unclear and filed [1] about it.

TL;DR: The rules "should" not work because they should also have a tracedby rule, but they work.

Jjohansen will let us know when he has looked at it in detail.
The bug I mention here is to track that effort.

P.S. FYI There is something similar ahead for kernel 4.14 which will need a similar rule for signals.

[1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1719471

On Mon, Sep 25, 2017 at 12:05 PM, Guido Günther <agx@xxxxxxxxxxx> wrote:
Hi,
On Sun, Sep 24, 2017 at 02:26:01PM +0200, Guido Günther wrote:
> Hi Jim,
> On Fri, Sep 22, 2017 at 05:02:42PM -0600, Jim Fehlig wrote:
> > Kernel 4.13 introduced finer-grained ptrace checks
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
> >
> > With kernel 4.13 and apparmor 2.11, simply starting libvirtd
> > results in the following apparmor denial
> >
> > type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
> > operation="ptrace" profile="" pid=6984
> > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > peer="unconfined"
> >
> > Attempting to start an unconfined domain results in
> >
> > type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
> > operation="ptrace" profile="" pid=7498
> > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > peer="/usr/sbin/libvirtd"
> >
> > And attempting to start a confined domain results in
> >
> > type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
> > operation="open" profile="" name="/etc/libnl/classid"
> > pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> > fsuid=0 ouid=0
> > type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
> > operation="open" profile="" name="/etc/libnl/classid"
> > pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> > fsuid=0 ouid=0
> > type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
> > operation="ptrace" profile="" pid=8342
> > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
> >
> > Add ptrace rules to allow the trace operations.
> >
> > Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
> > Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
> > ---
> >
> > V3:
> >  fix ptrace rule for per-domain profiles
> >
> > V2:
> >  restrict ptrace permissions
> >  drop support for dbus, signal, and unix
> >
> >  examples/apparmor/usr.sbin.libvirtd | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> > index acb59e071..fa4ebb355 100644
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -37,6 +37,10 @@
> >    network packet dgram,
> >    network packet raw,
> >
> > +  ptrace (trace) peer=unconfined,
> > +  ptrace (trace) peer=/usr/sbin/libvirtd,
> > +  ptrace (trace) peer=libvirt-*,
> > +
>
> This works here too! And I can even drop the first rule (ptrace (trace)
> peer=unconfined) and things still work (and from reading the profile and
> Jamies explanations it should work without it). Can you check if that
> works for you too?  Otherwise:
>
> Reviewed-By: Guido Günther <agx@xxxxxxxxxxx>

I've pushed that patch as is since without the unconfined ptrace we're
seeing denials with gnome-boxes and virsh.
Cheers,
 -- Guido

>
>
> >    # Very lenient profile for libvirtd since we want to first focus on confining
> >    # the guests. Guests will have a very restricted profile.
> >    / r,
> > --
> > 2.14.1
> >
>
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
>

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux