apparmor: allow readby and tracedby by goldwynr · Pull Request #39121 · moby/moby

goldwynr · 2019-04-22T14:13:03Z

Fixes audit errors such as:

type=AVC msg=audit(1550236803.810:143):
apparmor="DENIED" operation="ptrace" profile="docker-default"
pid=3181 comm="ps" requested_mask="readby" denied_mask="readby"
peer="docker-default"

audit(1550236375.918:3): apparmor="DENIED" operation="ptrace"
profile="docker-default" pid=2267 comm="ps"
requested_mask="tracedby" denied_mask="tracedby"
peer="docker-default"

Signed-off-by: Goldwyn Rodrigues [email protected]

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

Fixes audit errors such as: type=AVC msg=audit(1550236803.810:143): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3181 comm="ps" requested_mask="readby" denied_mask="readby" peer="docker-default" audit(1550236375.918:3): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=2267 comm="ps" requested_mask="tracedby" denied_mask="tracedby" peer="docker-default" Signed-off-by: Goldwyn Rodrigues <[email protected]>

thaJeztah · 2019-04-23T18:03:47Z

ping @justincormack @cyphar PTAL

cyphar · 2019-04-24T08:39:31Z

Seems reasonable.

justincormack · 2019-04-26T05:10:19Z

 {{if ge .Version 208095}}
  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
-  ptrace (trace,read) peer={{.Name}},
+  ptrace (trace,read,tracedby,readby) peer={{.Name}},


I think maybe the comment should be changed on the line above - these are I think now needed as we allow ptrace which we did not for seccomp reasons before kernel 4.8, and I don't think you would get these just from ps.

Lekensteyn · 2019-05-10T12:55:35Z

Had a coworker running into the same problem when running ls -l /proc/$pid/fd:

audit[22984]: AVC apparmor="DENIED" operation="ptrace" profile="docker-default" pid=22984 comm="ls" requested_mask="readby" denied_mask="readby" peer="docker-default"

Ubuntu 18.04 with a 4.18.0-17-generic kernel and the following Docker version:

Client:
 Version:           18.09.5
 API version:       1.38 (downgraded from 1.39)
 Go version:        go1.10.8
 Git commit:        e8ff056
 Built:             Thu Apr 11 04:43:57 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       e68fc7a
  Built:            Tue May  7 17:57:34 2019
  OS/Arch:          linux/amd64
  Experimental:     false

Patching the default profile with this tracedby,readby option (and testing it with apparmor_profile -r < new_profile.txt to replace the old profile) ensured that ls -l /proc/$pid/fd, ss -tlpn, lsof -iTCP, etc. work again and show the process name.

The readby option alone should also be sufficient to permit reading procfs, see also https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace#ptrace-rules-for-proc

Documentation for the tracedby and readby settings can be found in the apparmor.d manual:
https://gitlab.com/apparmor/apparmor/blob/master/parser/apparmor.d.pod#L933

thaJeztah · 2019-05-10T17:55:54Z

ping @goldwynr could you have a look at the review comment?

@justincormack any other issues with this patch, other than the comment?

goldwynr · 2019-05-11T12:58:55Z

@justincormack Without this patch the "denied "readby" messages are shown for docker ps, though the command succeeds. So, the comment still holds good.

goldwynr · 2019-06-10T20:33:32Z

ping! could the maintainers review the changes?

thaJeztah

LGTM

GordonTheTurtle added the status/0-triage label Apr 22, 2019

goldwynr mentioned this pull request Apr 22, 2019

apparmor: allow readby and tracedby docker-archive/docker-ce#596

Closed

thaJeztah added area/security/apparmor status/2-code-review and removed status/0-triage labels Apr 23, 2019

justincormack reviewed Apr 26, 2019

View reviewed changes

GordonTheTurtle assigned vdemeester May 7, 2019

justincormack approved these changes Jun 11, 2019

View reviewed changes

thaJeztah approved these changes Jun 11, 2019

View reviewed changes

thaJeztah merged commit 9e763de into moby:master Jun 11, 2019

thaJeztah added this to the 20.03.0 milestone Apr 2, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

apparmor: allow readby and tracedby#39121

apparmor: allow readby and tracedby#39121
thaJeztah merged 1 commit intomoby:masterfrom
goldwynr:master

goldwynr commented Apr 22, 2019

Uh oh!

thaJeztah commented Apr 23, 2019

Uh oh!

cyphar commented Apr 24, 2019

Uh oh!

justincormack Apr 26, 2019

Uh oh!

Lekensteyn commented May 10, 2019

Uh oh!

thaJeztah commented May 10, 2019

Uh oh!

goldwynr commented May 11, 2019

Uh oh!

goldwynr commented Jun 10, 2019

Uh oh!

thaJeztah left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Conversation

goldwynr commented Apr 22, 2019

Uh oh!

thaJeztah commented Apr 23, 2019

Uh oh!

cyphar commented Apr 24, 2019

Uh oh!

justincormack Apr 26, 2019

Choose a reason for hiding this comment

Uh oh!

Lekensteyn commented May 10, 2019

Uh oh!

thaJeztah commented May 10, 2019

Uh oh!

goldwynr commented May 11, 2019

Uh oh!

goldwynr commented Jun 10, 2019

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants