[apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-05-31 Thread John Johansen 
On 5/31/19 2:59 PM, Ian wrote:
> On Fri, 31 May 2019, Jamie wrote:
>> On Fri, 31 May 2019, Ian wrote:
>>
>>>/The only thing outstanding is some trouble I run into after the initramfs 
>>>/>>/chroot transition but before the apparmor service starts: />>//>>/May 31 
>>>12:10:55 1546-w-dev audit[5162]: AVC apparmor="ALLOWED" />>/operation="exec" 
>>>info="profile transition not found" error=-13 />>/profile="init-sys 
>>>/>>/temd" name="/usr/bin/unshare" pid=5162 comm="(spawn)" 
>>>/>>/requested_mask="x" denied_mask="x" fsuid=0 ouid=0 
>>>/>>/target="/usr/bin/unshare" />>/May 31 12:10:54 1546-w-dev audit[5004]: 
>>>AVC apparmor="ALLOWED" />>/operation="exec" info="profile transition not 
>>>found" error=-13 />>/profile="init-sys />>/temd" name="/usr/bin/unshare" 
>>>pid=5004 comm="(spawn)" />>/requested_mask="x" denied_mask="x" fsuid=0 
>>>ouid=0 />>/target="/usr/bin/unshare" />
>>Notice it is /usr/bin/unshare here, but you mention below that
>>'/usr/sbin/unshare' exists, but what you pasted looks correct. Is this a typo
>>in the email or somewhere else?
>>
>>>/The /usr/sbin/unshare profile exists: />>//>>/root at 1546-w-dev 
>>>:/etc/apparmor.d# cat 
>>>usr.bin.unshare />>/profile usr.bin.unshare /usr/bin/unshare 
>>>/>>/flags=(complain,attach_disconnected) { />>/    #include 
>>> />>/} /
> 
> Jamie,
> 
> That was a typo in the email. There is no /usr/sbin/unshare executable or 
> profile.
> 
> After everything loads, if I restart the "lvm2-pvscan@8:1" service that I 
> think is responsible for those errors during boot (systemctl shows it as 
> failed), it all works correctly.
> 
> ---
> 
> 
> On a different topic, when I attempted to run 'apt update', this happens:
> 
> type=AVC msg=audit(1559334318.936:8850): apparmor="ALLOWED" 
> operation="exec" info="no new privs" error=-1 
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11011 
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 
> target="usr.bin.apt_key"
> type=AVC msg=audit(1559334319.212:8851): apparmor="ALLOWED" 
> operation="exec" info="no new privs" error=-1 
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11013 
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 
> target="usr.bin.apt_key"
> type=AVC msg=audit(1559334319.228:8852): apparmor="ALLOWED" 
> operation="exec" info="no new privs" error=-1 
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11015 
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 
> target="usr.bin.apt_key"
> type=AVC msg=audit(1559334319.332:8853): apparmor="ALLOWED" 
> operation="exec" info="no new privs" error=-1 
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11017 
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 
> target="usr.bin.apt_key"
> 
> 
> W: An error occurred during the signature verification. The repository is 
> not updated and the previous index files will be used. GPG error: 
> http://us.archive.ubuntu.com/ubuntu bionic InRelease: Couldn't execute 
> /usr/bin/apt-key to check 
> /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_bionic_InRelease
> W: An error occurred during the signature verification. The repository is 
> not updated and the previous index files will be used. GPG error: 
> http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease: Couldn't 
> execute /usr/bin/apt-key to check 
> /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-updates_InRelease
> W: An error occurred during the signature verification. The repository is 
> not updated and the previous index files will be used. GPG error: 
> http://security.ubuntu.com/ubuntu bionic-security InRelease: Couldn't execute 
> /usr/bin/apt-key to check 
> /var/lib/apt/lists/partial/security.ubuntu.com_ubuntu_dists_bionic-security_InRelease
> W: An error occurred during the signature verification. The repository is 
> not updated and the previous index files will be used. GPG error: 
> http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease: Couldn't 
> execute /usr/bin/apt-key to check 
> /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-backports_InRelease
> 
> 
> It's not clear to me why it thinks I would be requesting new privs when all 
> of the profiles I've created have the exact same priv requests.  It's also 
> odd that apparmor is stating "ALLOWED" but then still blocking the execution?
> 

Because when no-new-privs landed it was mandated that the LSMs not over ride 
it. No new-privs is not part of apparmor but the broader kernel, and was 
provided as a way to for a task to lockdown privileges to the current set.

prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);

It was added with seccomp (3.5) so that the task could do setup and then lock 
its sandbox/security env down. At the time the LSMs were told it should apply 
to them as well. With seccomp use expanding and systemd now

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-05-31 Thread John Johansen 
On 5/31/19 2:59 PM, Ian wrote:
> On Fri, 31 May 2019, Jamie wrote:
>> On Fri, 31 May 2019, Ian wrote:
>>
>>>/The only thing outstanding is some trouble I run into after the initramfs 
>>>/>>/chroot transition but before the apparmor service starts: />>//>>/May 31 
>>>12:10:55 1546-w-dev audit[5162]: AVC apparmor="ALLOWED" />>/operation="exec" 
>>>info="profile transition not found" error=-13 />>/profile="init-sys 
>>>/>>/temd" name="/usr/bin/unshare" pid=5162 comm="(spawn)" 
>>>/>>/requested_mask="x" denied_mask="x" fsuid=0 ouid=0 
>>>/>>/target="/usr/bin/unshare" />>/May 31 12:10:54 1546-w-dev audit[5004]: 
>>>AVC apparmor="ALLOWED" />>/operation="exec" info="profile transition not 
>>>found" error=-13 />>/profile="init-sys />>/temd" name="/usr/bin/unshare" 
>>>pid=5004 comm="(spawn)" />>/requested_mask="x" denied_mask="x" fsuid=0 
>>>ouid=0 />>/target="/usr/bin/unshare" />
>>Notice it is /usr/bin/unshare here, but you mention below that
>>'/usr/sbin/unshare' exists, but what you pasted looks correct. Is this a typo
>>in the email or somewhere else?
>>
>>>/The /usr/sbin/unshare profile exists: />>//>>/root at 1546-w-dev 
>>>:/etc/apparmor.d# cat 
>>>usr.bin.unshare />>/profile usr.bin.unshare /usr/bin/unshare 
>>>/>>/flags=(complain,attach_disconnected) { />>/    #include 
>>> />>/} /
> 
> Jamie,
> 
> That was a typo in the email. There is no /usr/sbin/unshare executable or 
> profile.
> 
> After everything loads, if I restart the "lvm2-pvscan@8:1" service that I 
> think is responsible for those errors during boot (systemctl shows it as 
> failed), it all works correctly.
> 
> ---
> 
> 
> On a different topic, when I attempted to run 'apt update', this happens:
> 
> type=AVC msg=audit(1559334318.936:8850): apparmor="ALLOWED" 
> operation="exec" info="no new privs" error=-1 
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11011 
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 
> target="usr.bin.apt_key"
> type=AVC msg=audit(1559334319.212:8851): apparmor="ALLOWED" 
> operation="exec" info="no new privs" error=-1 
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11013 
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 
> target="usr.bin.apt_key"
> type=AVC msg=audit(1559334319.228:8852): apparmor="ALLOWED" 
> operation="exec" info="no new privs" error=-1 
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11015 
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 
> target="usr.bin.apt_key"
> type=AVC msg=audit(1559334319.332:8853): apparmor="ALLOWED" 
> operation="exec" info="no new privs" error=-1 
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11017 
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 
> target="usr.bin.apt_key"
> 
> 
> W: An error occurred during the signature verification. The repository is 
> not updated and the previous index files will be used. GPG error: 
> http://us.archive.ubuntu.com/ubuntu bionic InRelease: Couldn't execute 
> /usr/bin/apt-key to check 
> /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_bionic_InRelease
> W: An error occurred during the signature verification. The repository is 
> not updated and the previous index files will be used. GPG error: 
> http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease: Couldn't 
> execute /usr/bin/apt-key to check 
> /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-updates_InRelease
> W: An error occurred during the signature verification. The repository is 
> not updated and the previous index files will be used. GPG error: 
> http://security.ubuntu.com/ubuntu bionic-security InRelease: Couldn't execute 
> /usr/bin/apt-key to check 
> /var/lib/apt/lists/partial/security.ubuntu.com_ubuntu_dists_bionic-security_InRelease
> W: An error occurred during the signature verification. The repository is 
> not updated and the previous index files will be used. GPG error: 
> http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease: Couldn't 
> execute /usr/bin/apt-key to check 
> /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-backports_InRelease
> 
> 
> It's not clear to me why it thinks I would be requesting new privs when all 
> of the profiles I've created have the exact same priv requests.  It's also 
> odd that apparmor is stating "ALLOWED" but then still blocking the execution?
> 

Because when no-new-privs landed it was mandated that the LSMs not over ride 
it. No new-privs is not part of apparmor but the broader kernel, and was 
provided as a way to for a task to lockdown privileges to the current set.

prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);

It was added with seccomp (3.5) so that the task could do setup and then lock 
its sandbox/security env down. At the time the LSMs were told it should apply 
to them as well. With seccomp use expanding and systemd now

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-05-31 Thread Ian 

On Fri, 31 May 2019, Jamie wrote:

On Fri, 31 May 2019, Ian wrote:


/The only thing outstanding is some trouble I run into after the initramfs />>/chroot transition but before the apparmor service starts: />>//>>/May 31 12:10:55 1546-w-dev audit[5162]: AVC apparmor="ALLOWED" />>/operation="exec" info="profile transition not found" error=-13 
/>>/profile="init-sys />>/temd" name="/usr/bin/unshare" pid=5162 comm="(spawn)" />>/requested_mask="x" denied_mask="x" fsuid=0 ouid=0 />>/target="/usr/bin/unshare" />>/May 31 12:10:54 1546-w-dev audit[5004]: AVC apparmor="ALLOWED" 
/>>/operation="exec" info="profile transition not found" error=-13 />>/profile="init-sys />>/temd" name="/usr/bin/unshare" pid=5004 comm="(spawn)" />>/requested_mask="x" denied_mask="x" fsuid=0 ouid=0 />>/target="/usr/bin/unshare" />

Notice it is /usr/bin/unshare here, but you mention below that
'/usr/sbin/unshare' exists, but what you pasted looks correct. Is this a typo
in the email or somewhere else?

/The /usr/sbin/unshare profile exists: />>//>>/root at 1546-w-dev 
:/etc/apparmor.d# 
cat usr.bin.unshare />>/profile usr.bin.unshare /usr/bin/unshare />>/flags=(complain,attach_disconnected) { />>/    #include  />>/} /


Jamie,

That was a typo in the email. There is no /usr/sbin/unshare executable 
or profile.


After everything loads, if I restart the "lvm2-pvscan@8:1" service that 
I think is responsible for those errors during boot (systemctl shows it 
as failed), it all works correctly.


---


On a different topic, when I attempted to run 'apt update', this happens:

   type=AVC msg=audit(1559334318.936:8850): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 
profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11011 comm="gpgv" requested_mask="x" denied_mask="x" 
fsuid=104 ouid=0 target="usr.bin.apt_key"
   type=AVC msg=audit(1559334319.212:8851): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 
profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11013 comm="gpgv" requested_mask="x" denied_mask="x" 
fsuid=104 ouid=0 target="usr.bin.apt_key"
   type=AVC msg=audit(1559334319.228:8852): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 
profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11015 comm="gpgv" requested_mask="x" denied_mask="x" 
fsuid=104 ouid=0 target="usr.bin.apt_key"
   type=AVC msg=audit(1559334319.332:8853): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 
profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11017 comm="gpgv" requested_mask="x" denied_mask="x" 
fsuid=104 ouid=0 target="usr.bin.apt_key"


   W: An error occurred during the signature verification. The repository is 
not updated and the previous index files will be used. GPG error: 
http://us.archive.ubuntu.com/ubuntu bionic InRelease: Couldn't execute 
/usr/bin/apt-key to check 
/var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_bionic_InRelease
   W: An error occurred during the signature verification. The repository is 
not updated and the previous index files will be used. GPG error: 
http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease: Couldn't execute 
/usr/bin/apt-key to check 
/var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-updates_InRelease
   W: An error occurred during the signature verification. The repository is 
not updated and the previous index files will be used. GPG error: 
http://security.ubuntu.com/ubuntu bionic-security InRelease: Couldn't execute 
/usr/bin/apt-key to check 
/var/lib/apt/lists/partial/security.ubuntu.com_ubuntu_dists_bionic-security_InRelease
   W: An error occurred during the signature verification. The repository is 
not updated and the previous index files will be used. GPG error: 
http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease: Couldn't 
execute /usr/bin/apt-key to check 
/var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-backports_InRelease


It's not clear to me why it thinks I would be requesting new privs when 
all of the profiles I've created have the exact same priv requests.  
It's also odd that apparmor is stating "ALLOWED" but then still blocking 
the execution?


Running pstree at the same time as apt shows the following order: 
systemd, sshd, sshd, sshd, bash, sudo, bash, apt, gpgv (and http, http), 
gpgv


   root@1546-w-dev:/etc/apparmor.d# cat usr.lib.apt.methods.gpgv
   profile usr.lib.apt.methods.gpgv /usr/lib/apt/methods/gpgv
   flags=(complain) {
    #include 
   }


   root@1546-w-dev:/etc/apparmor.d# cat usr.bin.apt_key
   profile usr.bin.apt_key /usr/bin/apt-key flags=(complain) {
    #include 
   }


Have I ran into this? 
https://lists.ubuntu.com/archives/apparmor/2018-November/011846.html


   root@1546-w-dev:/etc/apparmor.d# uname -r
   4.15.0-50-generic

I see this problem with 'man' too.

I'm sooo close to getting this working...

-- 
AppArmor mailing

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-05-31 Thread Jamie Strandboge 
On Fri, 31 May 2019, Ian wrote:

> The only thing outstanding is some trouble I run into after the initramfs
> chroot transition but before the apparmor service starts:
> 
>May 31 12:10:55 1546-w-dev audit[5162]: AVC apparmor="ALLOWED"
>operation="exec" info="profile transition not found" error=-13
>profile="init-sys
>temd" name="/usr/bin/unshare" pid=5162 comm="(spawn)"
>requested_mask="x" denied_mask="x" fsuid=0 ouid=0
>target="/usr/bin/unshare"
>May 31 12:10:54 1546-w-dev audit[5004]: AVC apparmor="ALLOWED"
>operation="exec" info="profile transition not found" error=-13
>profile="init-sys
>temd" name="/usr/bin/unshare" pid=5004 comm="(spawn)"
>requested_mask="x" denied_mask="x" fsuid=0 ouid=0
>target="/usr/bin/unshare"

Notice it is /usr/bin/unshare here, but you mention below that
'/usr/sbin/unshare' exists, but what you pasted looks correct. Is this a typo
in the email or somewhere else?

> The /usr/sbin/unshare profile exists:
> 
>root@1546-w-dev:/etc/apparmor.d# cat usr.bin.unshare
>profile usr.bin.unshare /usr/bin/unshare
>flags=(complain,attach_disconnected) {
>     #include 
>}

-- 
Jamie Strandboge | http://www.canonical.com


signature.asc
Description: PGP signature
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-05-31 Thread Ian 


On 5/30/19 12:04 PM, Simon McVittie wrote:

On Thu, 30 May 2019 at 11:47:35 -0700, Ian wrote:

I did notice this in /var/log/syslog:

 May 30 10:46:51 1546-w-dev dbus-daemon[9496]: [system] Activating systemd
 to hand-off: service name='org.freedesktop.hostname1' unit=
 'dbus-org.freedesktop.hostname1.service' requested by ':1.21' (uid=0 pid=
 10058 comm="/usr/sbin/NetworkManager --no-daemon " label=
 "usr.sbin.NetworkManager (complain)"

This does not, in itself, indicate a bug. Whenever dbus-daemon logs an
"interesting" action like service activation, it logs all the information
it knows about the requesting process, which on AppArmor systems includes
the AppArmor label.

(complain) means the usr.sbin.NetworkManager profile is loaded in
"complain" mode, meaning that if NM does anything that would violate its
AppArmor policy, it will be logged as ALLOWED and allowed to happen,
instead of being denied. If this is not what you wanted, please look
more closely at your AppArmor policies.

 smcv


Simon, thanks for clearing that one up.

I was able to get the system to fully boot by changing

  /** Px,

to

  /** px,

in the lib.systemd.systemd post chroot profile.

The only thing outstanding is some trouble I run into after the 
initramfs chroot transition but before the apparmor service starts:


   May 31 12:10:55 1546-w-dev audit[5162]: AVC apparmor="ALLOWED"
   operation="exec" info="profile transition not found" error=-13
   profile="init-sys
   temd" name="/usr/bin/unshare" pid=5162 comm="(spawn)"
   requested_mask="x" denied_mask="x" fsuid=0 ouid=0
   target="/usr/bin/unshare"
   May 31 12:10:54 1546-w-dev audit[5004]: AVC apparmor="ALLOWED"
   operation="exec" info="profile transition not found" error=-13
   profile="init-sys
   temd" name="/usr/bin/unshare" pid=5004 comm="(spawn)"
   requested_mask="x" denied_mask="x" fsuid=0 ouid=0
   target="/usr/bin/unshare"


   [   42.159486] apparmor[635]:  * Starting AppArmor profiles

   [   49.102218] [5004]: failed to execute '/usr/bin/unshare'
   '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/sda1':
   Permission denied
   [   49.106734] systemd-udevd[699]: Process '/usr/bin/unshare -m
   /usr/bin/snap auto-import --mount=/dev/sda1' failed with exit code 2.

   [   49.119734] [5162]: failed to execute '/usr/bin/unshare'
   '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/dm-1':
   Permission denied
   [   49.124361] systemd-udevd[5160]: Process '/usr/bin/unshare -m
   /usr/bin/snap auto-import --mount=/dev/dm-1' failed with exit code 2.

   [  *** ] A start job is running for AppArmor initialization (15s /
   no limit)

   [   56.349850] auditd[753]: Audit daemon rotating log files
   [  OK  ] Started AppArmor initialization.

The /usr/sbin/unshare profile exists:

   root@1546-w-dev:/etc/apparmor.d# cat usr.bin.unshare
   profile usr.bin.unshare /usr/bin/unshare
   flags=(complain,attach_disconnected) {
    #include 
   }


   root@1546-w-dev:/etc/apparmor.d# cat local/whitelist
    network,
    signal,
    mount,
    pivot_root,
    ptrace,
    unix,
    dbus,
    umount,
    capability,
    / mrwlk,
    /** mrwlk,
    /** px,

As does /usr/bin/snap profile:

   root@1546-w-dev:/etc/apparmor.d# cat usr.bin.snap
   profile usr.bin.snap /usr/bin/snap
   flags=(complain,attach_disconnected) {
    #include 
   }

aa-status shows both of these loaded under "complain".

Is this a timing thing?  Something attempting to load as apparmor 
transitions? I.E. apparmor is still loading profiles when 
/usr/bin/unshare is being executed?


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor