touch-packages team mailing list archive

Thread
Date
[Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1390592@xxxxxxxxxxxxxxxxxx>
Date: Thu, 20 Nov 2014 20:16:27 -0000
Reply-to: Bug 1390592 <1390592@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.1

---------------
apparmor (2.8.95~2430-0ubuntu5.1) trusty-security; urgency=medium

  * SECURITY UPDATE: An AppArmor profile compilation bug may result in
    applications being confined in a way that is inconsistent with the profile
    author's intent. The compilation bug is specific to certain combinations
    of AppArmor rule types and conditionals of those rule types.
    (LP: #1390592)
    - debian/patches/fix-esc-seq-interp.patch: Fix the profile compilation bug
      by limiting the number of bytes that are consumed when interpreting
      hexadecimal, octal, and decimal escape sequences
    - debian/patches/tests-allow-arbitrary-profile-names.patch,
      debian/patches/tests-add-ptrace-tests-for-lp1390592.patch: Add
      regression tests for the profile compilation bug
    - CVE-2014-1424
 -- Tyler Hicks <tyhicks@xxxxxxxxxxxxx>   Fri, 14 Nov 2014 13:46:22 -0600

** Changed in: apparmor (Ubuntu Trusty)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1390592

Title:
  'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with
  docker

Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor” source package in Trusty:
  Fix Released

Bug description:
  I was helping a docker user out in #apparmor on OFTC and I think we
  found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see
  below).

  Workaround: install the https://launchpad.net/ubuntu/+source/linux-
  lts-utopic kernel.

  $ cat /proc/version_signature
  Ubuntu 3.13.0-37.64-generic 3.13.11.7

  Steps to reproduce:
  1. adjust /etc/apparmor.d/abstractions/base to have:
    ptrace peer=@{profile_name},
  2. sudo apt-get install docker.io
  3. sudo docker pull ubuntu:trusty
  4. Run 'ps' inside docker:
     $ sudo docker run -i -t ubuntu:trusty bash
     root@5039d725a41d:/# ps
     ...
     root@5039d725a41d:/# exit
     $

  Then observe the following denials on the host, which should have been addressed in the rule added in step 1:
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"

  Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
  works as expected (note, the policy is different on 14.10 and it
  already has the rule from step 1). Ubuntu 14.04 with the linux-lts-
  utopic backport kernel also works (from trusty-proposed: sudo apt-get
  install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic
  linux-image-extra-3.16.0-25-generic).

  Note, docker is different than most applications in that it embeds its
  policy inside the docker binary and this binary when launched as a
  daemon (ie, via the upstart job) will unconditionally write out the
  policy to /etc/apparmor.d/docker-default. As such, to modify the
  policy:

  0. install docker.io and pull a trusty image # only has to be done once
  1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
  2. sudo stop docker.io      # 'docker' on 14.10
  3. sudo apparmor_parser -R /etc/apparmor.d/docker
  4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
  5. sudo start docker.io     # 'docker' on 14.10
  6. Run 'ps' inside docker:
     $ sudo docker run -i -t ubuntu:trusty bash
     root@5039d725a41d:/# ps
     ...
     root@5039d725a41d:/# exit
     $

  (Docker just added a way to specify an alternate existing profile in
  https://docs.docker.com/reference/run/#security-configuration).

  Reference: https://github.com/docker/docker/issues/7276

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions