← Back to team overview

touch-packages team mailing list archive

[Bug 1425398] Re: Apparmor uses rsyslogd profile for different processes - utopic HWE

 

Here is the patch to address the apparmor userspace component of this
bug as part of a trusty SRU. It's already been addressed in utopic and
later.

** Patch added: "tests-workaround_for_unix_socket_change-lp1425398.patch"
   https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1425398/+attachment/4399542/+files/tests-workaround_for_unix_socket_change-lp1425398.patch

** Description changed:

- [rsyslog impact]
- This bug prevents rsyslog from receiving all events from other services on trusty when the utopic-hwe (and newer) kernels are used. The rsyslog SRU adds an additional permission (read access to /dev/log) to the rsyslog apparmor policy to allow this to work.
+ [apparmor impact]
  
- [rsyslog test case]
- (1) Ensure the rsyslog apparmor policy is set to enforce; it should show up listed in the "XX  profiles are in enforce mode." section reported by "sudo aa-status" (if it's disabled, do "sudo aa-enforce rsyslogd").
+ This bug generates false positives when using the apparmor regression
+ tests on the HWE kernels (utopic and newer), which means the kernel team
+ needs to examine test output to ensure that addiitional failures didn't
+ occur when testing new kernels.
  
- (2) Install the utopic or newer hwe enablement stack reboot into the
- kernel. Using the logger(1) utility should generate log messages (e.g.
- "logger foo") that are recorded in syslog; with this bug, they will be
- blocked (grep DENIED /var/log/syslog).
+ [apparmor test case]
  
- [rsyslog regression potential]
- The only change to rsyslog in the SRU is a slight loosening of the rsyslog apparmor policy. The risk of an introduced regression is small.
+ 1) install hwe kernel libapparmor-dev libdbus-1-dev attr
+ 2) apt-get source apparmor
+ 3) cd apparmor-2.8.95~2430/tests/regression/apparmor/
+ 4) make USE_SYSTEM=1
+ 5) sudo bash unix_socket_file.sh
  
- [rsyslog addition info]
- The qa-regression-testing script is useful for verifying that rsyslog is still functioning properly (http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/test-rsyslog.py)
-  
+ If the bug has not been addressed, this test script will fail with the
+ following messages:
+ 
+ Error: unix_socket_file failed. Test 'socket file (dgram); confined server / access (w)' was expected to 'pass'. Reason for failure 'FAIL CLIENT - connect: Permission denied
+ FAIL - poll timed out'
+ Error: unix_socket_file failed. Test 'socket file (dgram); confined client w/ access (rw)' was expected to 'pass'. Reason for failure 'FAIL CLIENT - connect: Permission denied
+ FAIL - poll timed out'
+ 
+ and a return code of 2 (echo $?). If it has been fixed it should return
+ silently, with a return code of 0.
+ 
+ [apparmor regression potential]
+ 
+ The patch for this bug only affects the test suite for apparmor, which
+ is a loosening of the policy used in the specific failing testcases.
+ There should be no effect on the apparmor implementation proper from
+ this fix.
+ 
+ [apparmor additional info]
+ 
+ This testsuite is run as part of the test-apparmor.py test script
+ from lp:qa-regression-testing, and used as part of the kernel update
+ process, but is useful for ensuring that apparmor is functioning
+ properly.
  
  [Original description]
  I've noticed that apparmor loads /usr/sbin/rsyslogd profile for completely unrelated processes:
  
  Feb 25 08:36:19 emma kernel: [  134.796218] audit: type=1400 audit(1424842579.429:245): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4002 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 25 08:36:23 emma kernel: [  139.330989] audit: type=1400 audit(1424842583.965:246): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4080 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 25 08:35:42 emma kernel: [   97.912402] audit: type=1400 audit(1424842542.565:241): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=2436 comm="whoopsie" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
  Feb 25 08:34:43 emma kernel: [   38.867998] audit: type=1400 audit(1424842483.546:226): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=3762 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  
  I'm not sure how apparmor decides which profile to use for which task,
  but is shouldn't load '/usr/sbin/rsyslogd' profile for sshd/ntpd/etc.
  
  I'm running:
  # lsb_release -rd
  Description:	Ubuntu 14.04.2 LTS
  Release:	14.04
  
  # dpkg -l | grep apparmor
  ii  apparmor                            2.8.95~2430-0ubuntu5.1               amd64        User-space parser utility for AppArmor
  ii  apparmor-profiles                   2.8.95~2430-0ubuntu5.1               all          Profiles for AppArmor Security policies
  ii  apparmor-utils                      2.8.95~2430-0ubuntu5.1               amd64        Utilities for controlling AppArmor
  ii  libapparmor-perl                    2.8.95~2430-0ubuntu5.1               amd64        AppArmor library Perl bindings
  ii  libapparmor1:amd64                  2.8.95~2430-0ubuntu5.1               amd64        changehat AppArmor library
  ii  python3-apparmor                    2.8.95~2430-0ubuntu5.1               amd64        AppArmor Python3 utility library
  ii  python3-libapparmor                 2.8.95~2430-0ubuntu5.1               amd64        AppArmor library Python3 bindings
  
  # uname -a
  Linux emma 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

** Changed in: apparmor (Ubuntu)
       Status: Invalid => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1425398

Title:
  Apparmor uses rsyslogd profile for different processes - utopic HWE

Status in apparmor package in Ubuntu:
  Fix Released
Status in linux package in Ubuntu:
  Confirmed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in rsyslog package in Ubuntu:
  Fix Released
Status in apparmor source package in Trusty:
  In Progress
Status in linux source package in Trusty:
  Confirmed
Status in linux-lts-utopic source package in Trusty:
  Invalid
Status in rsyslog source package in Trusty:
  Fix Released

Bug description:
  [apparmor impact]

  This bug generates false positives when using the apparmor regression
  tests on the HWE kernels (utopic and newer), which means the kernel team
  needs to examine test output to ensure that addiitional failures didn't
  occur when testing new kernels.

  [apparmor test case]

  1) install hwe kernel libapparmor-dev libdbus-1-dev attr
  2) apt-get source apparmor
  3) cd apparmor-2.8.95~2430/tests/regression/apparmor/
  4) make USE_SYSTEM=1
  5) sudo bash unix_socket_file.sh

  If the bug has not been addressed, this test script will fail with the
  following messages:

  Error: unix_socket_file failed. Test 'socket file (dgram); confined server / access (w)' was expected to 'pass'. Reason for failure 'FAIL CLIENT - connect: Permission denied
  FAIL - poll timed out'
  Error: unix_socket_file failed. Test 'socket file (dgram); confined client w/ access (rw)' was expected to 'pass'. Reason for failure 'FAIL CLIENT - connect: Permission denied
  FAIL - poll timed out'

  and a return code of 2 (echo $?). If it has been fixed it should return
  silently, with a return code of 0.

  [apparmor regression potential]

  The patch for this bug only affects the test suite for apparmor, which
  is a loosening of the policy used in the specific failing testcases.
  There should be no effect on the apparmor implementation proper from
  this fix.

  [apparmor additional info]

  This testsuite is run as part of the test-apparmor.py test script
  from lp:qa-regression-testing, and used as part of the kernel update
  process, but is useful for ensuring that apparmor is functioning
  properly.

  [Original description]
  I've noticed that apparmor loads /usr/sbin/rsyslogd profile for completely unrelated processes:

  Feb 25 08:36:19 emma kernel: [  134.796218] audit: type=1400 audit(1424842579.429:245): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4002 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 25 08:36:23 emma kernel: [  139.330989] audit: type=1400 audit(1424842583.965:246): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4080 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Feb 25 08:35:42 emma kernel: [   97.912402] audit: type=1400 audit(1424842542.565:241): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=2436 comm="whoopsie" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
  Feb 25 08:34:43 emma kernel: [   38.867998] audit: type=1400 audit(1424842483.546:226): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=3762 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  I'm not sure how apparmor decides which profile to use for which task,
  but is shouldn't load '/usr/sbin/rsyslogd' profile for sshd/ntpd/etc.

  I'm running:
  # lsb_release -rd
  Description:	Ubuntu 14.04.2 LTS
  Release:	14.04

  # dpkg -l | grep apparmor
  ii  apparmor                            2.8.95~2430-0ubuntu5.1               amd64        User-space parser utility for AppArmor
  ii  apparmor-profiles                   2.8.95~2430-0ubuntu5.1               all          Profiles for AppArmor Security policies
  ii  apparmor-utils                      2.8.95~2430-0ubuntu5.1               amd64        Utilities for controlling AppArmor
  ii  libapparmor-perl                    2.8.95~2430-0ubuntu5.1               amd64        AppArmor library Perl bindings
  ii  libapparmor1:amd64                  2.8.95~2430-0ubuntu5.1               amd64        changehat AppArmor library
  ii  python3-apparmor                    2.8.95~2430-0ubuntu5.1               amd64        AppArmor Python3 utility library
  ii  python3-libapparmor                 2.8.95~2430-0ubuntu5.1               amd64        AppArmor library Python3 bindings

  # uname -a
  Linux emma 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1425398/+subscriptions


References