← Back to team overview

kernel-packages team mailing list archive

[Bug 1390592] [NEW] 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker

 

Public bug reported:

I was helping a docker user out in #apparmor on OFTC and I think we
found a kernel bug. Filing this on behalf of the user.

The user added the following to the base abstraction then reloaded policy:
  ptrace peer=@{profile_name},

but had denials like this:
  apparmor="DENIED" operation="ptrace" profile="docker-default" pid=15426 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"

The user tried this rule too, but it didn't work:
  ptrace peer=docker-default,

The user had to use 'ptrace,' instead to make the denials go away.

Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
  ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
   $ sudo docker run -i -t ubuntu:trusty bash
   root@5039d725a41d:/# ps
   ...
   root@5039d725a41d:/# exit
   $

Then observe the following denials on the host:
Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"

Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the policy:

0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io
6. Run 'ps' inside docker:
   $ sudo docker run -i -t ubuntu:trusty bash
   root@5039d725a41d:/# ps
   ...
   root@5039d725a41d:/# exit
   $

(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).

Reference: https://github.com/docker/docker/issues/7276

** Affects: linux (Ubuntu)
     Importance: High
         Status: Confirmed


** Tags: aa-kernel apparmor

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1390592

Title:
  'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with
  docker

Status in “linux” package in Ubuntu:
  Confirmed

Bug description:
  I was helping a docker user out in #apparmor on OFTC and I think we
  found a kernel bug. Filing this on behalf of the user.

  The user added the following to the base abstraction then reloaded policy:
    ptrace peer=@{profile_name},

  but had denials like this:
    apparmor="DENIED" operation="ptrace" profile="docker-default" pid=15426 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"

  The user tried this rule too, but it didn't work:
    ptrace peer=docker-default,

  The user had to use 'ptrace,' instead to make the denials go away.

  Steps to reproduce:
  1. adjust /etc/apparmor.d/abstractions/base to have:
    ptrace peer=@{profile_name},
  2. sudo apt-get install docker.io
  3. sudo docker pull ubuntu:trusty
  4. Run 'ps' inside docker:
     $ sudo docker run -i -t ubuntu:trusty bash
     root@5039d725a41d:/# ps
     ...
     root@5039d725a41d:/# exit
     $

  Then observe the following denials on the host:
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"

  Note, docker is different than most applications in that it embeds its
  policy inside the docker binary and this binary when launched as a
  daemon (ie, via the upstart job) will unconditionally write out the
  policy to /etc/apparmor.d/docker-default. As such, to modify the
  policy:

  0. install docker.io and pull a trusty image # only has to be done once
  1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
  2. sudo stop docker.io
  3. sudo apparmor_parser -R /etc/apparmor.d/docker
  4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
  5. sudo start docker.io
  6. Run 'ps' inside docker:
     $ sudo docker run -i -t ubuntu:trusty bash
     root@5039d725a41d:/# ps
     ...
     root@5039d725a41d:/# exit
     $

  (Docker just added a way to specify an alternate existing profile in
  https://docs.docker.com/reference/run/#security-configuration).

  Reference: https://github.com/docker/docker/issues/7276

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1390592/+subscriptions


Follow ups

References