kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #88666
[Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
** Description changed:
I was helping a docker user out in #apparmor on OFTC and I think we
found a kernel bug in the 14.04 kernel.
- $ cat /proc/version_signature
+ $ cat /proc/version_signature
Ubuntu 3.13.0-37.64-generic 3.13.11.7
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host, which should have been addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
works as expected (note, the policy is different on 14.10 and it already
- has the rule from step 1).
+ has the rule from step 1). Ubuntu 14.04 with the linux-lts-utopic
+ backport kernel also works (from trusty-proposed: sudo apt-get install
+ linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic linux-
+ image-extra-3.16.0-25-generic).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
** Description changed:
I was helping a docker user out in #apparmor on OFTC and I think we
- found a kernel bug in the 14.04 kernel.
+ found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see
+ below).
$ cat /proc/version_signature
Ubuntu 3.13.0-37.64-generic 3.13.11.7
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host, which should have been addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
works as expected (note, the policy is different on 14.10 and it already
has the rule from step 1). Ubuntu 14.04 with the linux-lts-utopic
backport kernel also works (from trusty-proposed: sudo apt-get install
linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic linux-
image-extra-3.16.0-25-generic).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
** Description changed:
I was helping a docker user out in #apparmor on OFTC and I think we
found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see
below).
+
+ Workaround: install the https://launchpad.net/ubuntu/+source/linux-lts-
+ utopic kernel.
$ cat /proc/version_signature
Ubuntu 3.13.0-37.64-generic 3.13.11.7
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host, which should have been addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
works as expected (note, the policy is different on 14.10 and it already
has the rule from step 1). Ubuntu 14.04 with the linux-lts-utopic
backport kernel also works (from trusty-proposed: sudo apt-get install
linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic linux-
image-extra-3.16.0-25-generic).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1390592
Title:
'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with
docker
Status in “linux” package in Ubuntu:
Confirmed
Bug description:
I was helping a docker user out in #apparmor on OFTC and I think we
found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see
below).
Workaround: install the https://launchpad.net/ubuntu/+source/linux-
lts-utopic kernel.
$ cat /proc/version_signature
Ubuntu 3.13.0-37.64-generic 3.13.11.7
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host, which should have been addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
works as expected (note, the policy is different on 14.10 and it
already has the rule from step 1). Ubuntu 14.04 with the linux-lts-
utopic backport kernel also works (from trusty-proposed: sudo apt-get
install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic
linux-image-extra-3.16.0-25-generic).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the
policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1390592/+subscriptions
References