group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #36475
[Bug 1890848] [NEW] 'ptrace trace' needed to readlink() /proc/*/ns/* files
Public bug reported:
Per 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
This suggests that a 'ptrace read' rule should be sufficient to
readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
(Ubuntu 20.04 LTS).
However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
Here is a reproducer:
$ cat ./readlink-ns.c
#include <errno.h>
#include <linux/limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
void usage() {
fprintf(stderr, "Usage: readlink-ns -p <pid> -n <ns>\n");
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
char *ns = NULL;
char path[PATH_MAX] = {};
char rpath[PATH_MAX] = {};
int c;
while ((c = getopt(argc, argv, "hn:p:")) != -1) {
switch(c) {
case 'n':
ns = optarg;
break;
case 'p':
pid = atoi(optarg);
break;
case 'h':
usage();
return 0;
case '?':
usage();
return 1;
default:
return 1;
}
}
int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
if (n < 0 || (size_t)n >= sizeof(path)) {
fprintf(stderr, "cannot format string\n");
return 1;
}
path[n] = '\0';
printf("path: %s\n", path);
n = readlink(path, rpath, sizeof(rpath));
if (n < 0) {
perror("readlink()");
return 1;
} else if (n == sizeof(rpath)) {
fprintf(stderr, "cannot readlink()\n");
return 1;
}
printf("rpath: %s\n", rpath);
return 0;
}
$ cat ./readlink-ns.apparmor
#include <tunables/global>
profile test {
#include <abstractions/base>
# focal
ptrace (read) peer="unconfined",
# xenial, bionic
#ptrace (trace) peer="unconfined",
}
# bionic and xenial need 'ptrace trace'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
readlink(): Permission denied
Denial:
Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400 audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test" pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace" peer="unconfined"
# focal needs only 'ptrace read'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: Confirmed
** Affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: Confirmed
** Tags: apparmor
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: New => Fix Released
** Tags added: apparmor
** Changed in: linux (Ubuntu Bionic)
Status: New => Confirmed
** Changed in: linux (Ubuntu Xenial)
Status: New => Confirmed
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Confirmed
Status in linux source package in Bionic:
Confirmed
Bug description:
Per 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
This suggests that a 'ptrace read' rule should be sufficient to
readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
(Ubuntu 20.04 LTS).
However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
Here is a reproducer:
$ cat ./readlink-ns.c
#include <errno.h>
#include <linux/limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
void usage() {
fprintf(stderr, "Usage: readlink-ns -p <pid> -n <ns>\n");
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
char *ns = NULL;
char path[PATH_MAX] = {};
char rpath[PATH_MAX] = {};
int c;
while ((c = getopt(argc, argv, "hn:p:")) != -1) {
switch(c) {
case 'n':
ns = optarg;
break;
case 'p':
pid = atoi(optarg);
break;
case 'h':
usage();
return 0;
case '?':
usage();
return 1;
default:
return 1;
}
}
int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
if (n < 0 || (size_t)n >= sizeof(path)) {
fprintf(stderr, "cannot format string\n");
return 1;
}
path[n] = '\0';
printf("path: %s\n", path);
n = readlink(path, rpath, sizeof(rpath));
if (n < 0) {
perror("readlink()");
return 1;
} else if (n == sizeof(rpath)) {
fprintf(stderr, "cannot readlink()\n");
return 1;
}
printf("rpath: %s\n", rpath);
return 0;
}
$ cat ./readlink-ns.apparmor
#include <tunables/global>
profile test {
#include <abstractions/base>
# focal
ptrace (read) peer="unconfined",
# xenial, bionic
#ptrace (trace) peer="unconfined",
}
# bionic and xenial need 'ptrace trace'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
readlink(): Permission denied
Denial:
Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400 audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test" pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace" peer="unconfined"
# focal needs only 'ptrace read'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions
Follow ups
