touch-packages team mailing list archive

Thread
Date
[Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Tue, 11 Nov 2014 16:32:04 -0000
Reply-to: Bug 1390592 <1390592@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I may need to take another approach instead of replacing add-decimal-
interp.patch with upstream commit r2456. While this bug is fixed, the
regression test suite hits some new failures. The commit message of
upstream commit r2541 explains the problem (and changes the tests):

 Earlier fixes to the parser's handling of escape sequences involving '\'
 caused a behavioral change that profiles no longer needed to contain
 '\\' before an octal escape sequence.

I don't feel like that kind of change is acceptable in an SRU. I'll dig
into the r2456 patch some more and see if I can pull out only the binary
encoding bug fix.


** Changed in: apparmor (Ubuntu Trusty)
       Status: Triaged => In Progress

** Changed in: apparmor (Ubuntu Trusty)
     Assignee: (unassigned) => Tyler Hicks (tyhicks)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1390592

Title:
  'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with
  docker

Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor” source package in Trusty:
  In Progress

Bug description:
  I was helping a docker user out in #apparmor on OFTC and I think we
  found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see
  below).

  Workaround: install the https://launchpad.net/ubuntu/+source/linux-
  lts-utopic kernel.

  $ cat /proc/version_signature
  Ubuntu 3.13.0-37.64-generic 3.13.11.7

  Steps to reproduce:
  1. adjust /etc/apparmor.d/abstractions/base to have:
    ptrace peer=@{profile_name},
  2. sudo apt-get install docker.io
  3. sudo docker pull ubuntu:trusty
  4. Run 'ps' inside docker:
     $ sudo docker run -i -t ubuntu:trusty bash
     root@5039d725a41d:/# ps
     ...
     root@5039d725a41d:/# exit
     $

  Then observe the following denials on the host, which should have been addressed in the rule added in step 1:
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"

  Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
  works as expected (note, the policy is different on 14.10 and it
  already has the rule from step 1). Ubuntu 14.04 with the linux-lts-
  utopic backport kernel also works (from trusty-proposed: sudo apt-get
  install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic
  linux-image-extra-3.16.0-25-generic).

  Note, docker is different than most applications in that it embeds its
  policy inside the docker binary and this binary when launched as a
  daemon (ie, via the upstart job) will unconditionally write out the
  policy to /etc/apparmor.d/docker-default. As such, to modify the
  policy:

  0. install docker.io and pull a trusty image # only has to be done once
  1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
  2. sudo stop docker.io      # 'docker' on 14.10
  3. sudo apparmor_parser -R /etc/apparmor.d/docker
  4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
  5. sudo start docker.io     # 'docker' on 14.10
  6. Run 'ps' inside docker:
     $ sudo docker run -i -t ubuntu:trusty bash
     root@5039d725a41d:/# ps
     ...
     root@5039d725a41d:/# exit
     $

  (Docker just added a way to specify an alternate existing profile in
  https://docs.docker.com/reference/run/#security-configuration).

  Reference: https://github.com/docker/docker/issues/7276

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions