kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #88662
[Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
** Description changed:
I was helping a docker user out in #apparmor on OFTC and I think we
- found a kernel bug. Filing this on behalf of the user.
+ found a kernel bug in the 14.04 kernel.
- The user added the following to the base abstraction then reloaded policy:
- ptrace peer=@{profile_name},
-
- but had denials like this:
- apparmor="DENIED" operation="ptrace" profile="docker-default" pid=15426 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
-
- The user tried this rule too, but it didn't work:
- ptrace peer=docker-default,
-
- The user had to use 'ptrace,' instead to make the denials go away.
+ root@cerise:/etc/apparmor.d# cat /proc/version_signature
+ Ubuntu 3.13.0-32.57-generic 3.13.11.4
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
- ptrace peer=@{profile_name},
+ ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
- $ sudo docker run -i -t ubuntu:trusty bash
- root@5039d725a41d:/# ps
- ...
- root@5039d725a41d:/# exit
- $
+ $ sudo docker run -i -t ubuntu:trusty bash
+ root@5039d725a41d:/# ps
+ ...
+ root@5039d725a41d:/# exit
+ $
- Then observe the following denials on the host:
+ Then observe the following denials on the host, which should have been addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
+
+ Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
+ works as expected (note, the policy is different on 14.10 and it already
+ has the rule from step 1).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
- 2. sudo stop docker.io
+ 2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
- 5. sudo start docker.io
+ 5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
- $ sudo docker run -i -t ubuntu:trusty bash
- root@5039d725a41d:/# ps
- ...
- root@5039d725a41d:/# exit
- $
+ $ sudo docker run -i -t ubuntu:trusty bash
+ root@5039d725a41d:/# ps
+ ...
+ root@5039d725a41d:/# exit
+ $
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
** Description changed:
I was helping a docker user out in #apparmor on OFTC and I think we
found a kernel bug in the 14.04 kernel.
- root@cerise:/etc/apparmor.d# cat /proc/version_signature
- Ubuntu 3.13.0-32.57-generic 3.13.11.4
+ $ cat /proc/version_signature
+ Ubuntu 3.13.0-37.64-generic 3.13.11.7
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host, which should have been addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
works as expected (note, the policy is different on 14.10 and it already
has the rule from step 1).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1390592
Title:
'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with
docker
Status in “linux” package in Ubuntu:
Confirmed
Bug description:
I was helping a docker user out in #apparmor on OFTC and I think we
found a kernel bug in the 14.04 kernel.
$ cat /proc/version_signature
Ubuntu 3.13.0-37.64-generic 3.13.11.7
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host, which should have been addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
works as expected (note, the policy is different on 14.10 and it
already has the rule from step 1).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the
policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1390592/+subscriptions
References
