enterprise-support team mailing list archive

Thread
Date

[Bug 1792728] [NEW] [apparmor] allow reading squid binary

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Simon Déziel <1792728@xxxxxxxxxxxxxxxxxx>
Date: Sat, 15 Sep 2018 17:54:39 -0000
Reply-to: Bug 1792728 <1792728@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Problem description:

Running squid in a container with a host using Bionic's kernel fails if
squid's apparmor profile is enabled. The denial messages is:

Sep 15 13:28:34 simon-laptop kernel: audit: type=1400
audit(1537032514.528:312): apparmor="DENIED" operation="file_mmap"
namespace="root//lxd-foo_<var-snap-lxd-common-lxd>"
profile="/usr/sbin/squid" name="/usr/sbin/squid" pid=12177 comm="squid"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000


Steps to reproduce:

Create a container named foo:
$ lxc launch ubuntu-daily:cosmic foo

Install squid:
$ lxc exec foo -- apt-get install -y squid

Confirm it's running fine:
$ lxc exec foo -- ps aux| grep squid
root      1012  0.0  0.0  68120  2320 ?        Ss   17:46   0:00 /usr/sbin/squid -YC -f /etc/squid/squid.conf
proxy     1015  0.0  0.0 108236 22068 ?        S    17:46   0:00 (squid-1) -YC -f /etc/squid/squid.conf
proxy     1022  0.0  0.0   5736  1352 ?        S    17:46   0:00 (logfile-daemon) /var/log/squid/access.log

Enable Apparmor profile (disabled by default):
$ lxc exec foo -- rm /etc/apparmor.d/disable/usr.sbin.squid
$ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.squid
$ lxc exec foo -- service squid restart

Check if squid is still running:
$ lxc exec foo -- ps aux| grep squid


It is not running anymore and looking at the host's journalctl, we see an Apparmor denial message:
$ journalctl -o cat -k | tail -n1
audit: type=1400 audit(1537033754.195:348): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-foo_<var-snap-lxd-common-lxd>" profile="/usr/sbin/squid" name="/usr/sbin/squid" pid=26039 comm="squid" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000


A workaround is to allow read access to the binary.

Workaround:
$ lxc exec foo -- sed -i 's/squid ix,$/squid rix,/' /etc/apparmor.d/usr.sbin.squid
$ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.squid
$ lxc exec foo -- service squid restart

Check if squid started fine this time:

$ lxc exec foo -- ps aux| grep squid
root      1283  0.0  0.0  68120  2320 ?        Ss   17:53   0:00 /usr/sbin/squid -YC -f /etc/squid/squid.conf
proxy     1285  0.0  0.0 108240 22140 ?        S    17:53   0:00 (squid-1) -YC -f /etc/squid/squid.conf
proxy     1286  0.0  0.0   5736  1304 ?        S    17:53   0:00 (logfile-daemon) /var/log/squid/access.log


Additional information:

$ lxc exec foo -- lsb_release -rd
Description:	Ubuntu Cosmic Cuttlefish (development branch)
Release:	18.10
$ lxc exec foo -- apt-cache policy squid
squid:
  Installed: 3.5.27-1ubuntu1
  Candidate: 3.5.27-1ubuntu1
  Version table:
 *** 3.5.27-1ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status


Note: the problem also exists on Bionic so once Cosmic will be fixed, a
SRU to Bionic would be nice.

** Affects: squid3 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to squid3 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1792728

Title:
  [apparmor] allow reading squid binary

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1792728/+subscriptions

Follow ups

[Bug 1792728] Re: [apparmor] allow reading squid binary
From: Launchpad Bug Tracker, 2018-10-09
[Bug 1792728] Re: [apparmor] allow reading squid binary
From:  Christian Ehrhardt , 2018-09-28