[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
This change regressed my apparmor profile for a script I'm working on, which walks over processes using python3-psutil, in bionic. I have this config in the apparmor profile: capability sys_ptrace, ptrace trace, With kernel 4.15.0-154-generic #161 it works. With kernel 4.15.0-158-generic #166 I get a DENIED error and the script backtraces when reading, for example, /proc//fd/0 of some process, with os.readlink(): [ 19.223703] audit: type=1400 audit(1632507704.072:30): apparmor="DENIED" operation="ptrace" profile="/etc/hostos- monitoring/plugins.d/process-monitoring" pid=1098 comm="process-monitor" requested_mask="read" denied_mask="read" peer="unconfined" -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1890848 Title: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Fix Released Bug description: SRU Justification: [Impact] Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when only 'ptrace read' should be required according to 'man namespaces': "Permission to dereference or read (readlink(2)) these symbolic links is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2)." [Fix] Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace read check. [Test Plan] BugLink contains the source of a binary that reproduces the issue. In summary, it executes readlink() on /proc/*/ns/*. There's also a policy that has only 'ptrace read' permission. When the bug is fixed, execution is allowed. [Where problems could occur] The regression can be considered as low, since it's lowering the number of permissions required. Existing policies that already contain the permission 'ptrace trace' and 'ptrace read' will have a broader policy than required. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
This bug was fixed in the package linux - 4.15.0-156.163
---
linux (4.15.0-156.163) bionic; urgency=medium
* bionic/linux: 4.15.0-156.163 -proposed tracker (LP: #1940162)
* linux (LP: #1940564)
- SAUCE: Revert "scsi: core: Cap scsi_host cmd_per_lun at can_queue"
* fails to launch linux L2 guests on AMD (LP: #1940134) // CVE-2021-3653
- KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl
(CVE-2021-3653)
* fails to launch linux L2 guests on AMD (LP: #1940134)
- SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits
from L2 in int_ctl"
linux (4.15.0-155.162) bionic; urgency=medium
* bionic/linux: 4.15.0-155.162 -proposed tracker (LP: #1939833)
* Packaging resync (LP: #1786013)
- debian/dkms-versions -- update from kernel-versions (main/2021.08.16)
* CVE-2021-3656
- SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested
* CVE-2021-3653
- SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl
* dev_forward_skb: do not scrub skb mark within the same name space
(LP: #1935040)
- dev_forward_skb: do not scrub skb mark within the same name space
* 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
(LP: #1890848)
- apparmor: fix ptrace read check
* Bionic update: upstream stable patchset 2021-08-03 (LP: #1938824)
- ALSA: usb-audio: fix rate on Ozone Z90 USB headset
- media: dvb-usb: fix wrong definition
- Input: usbtouchscreen - fix control-request directions
- net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
- usb: gadget: eem: fix echo command packet response issue
- USB: cdc-acm: blacklist Heimann USB Appset device
- ntfs: fix validity check for file name attribute
- iov_iter_fault_in_readable() should do nothing in xarray case
- Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
- ARM: dts: at91: sama5d4: fix pinctrl muxing
- btrfs: send: fix invalid path for unlink operations after parent
orphanization
- btrfs: clear defrag status of a root if starting transaction fails
- ext4: cleanup in-core orphan list if ext4_truncate() failed to get a
transaction handle
- ext4: fix kernel infoleak via ext4_extent_header
- ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit
- ext4: remove check for zero nr_to_scan in ext4_es_scan()
- ext4: fix avefreec in find_group_orlov
- ext4: use ext4_grp_locked_error in mb_find_extent
- can: gw: synchronize rcu operations before removing gw job entry
- can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue
in
TX path
- SUNRPC: Fix the batch tasks count wraparound.
- SUNRPC: Should wake up the privileged task firstly.
- s390/cio: dont call css_wait_for_slow_path() inside a lock
- rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path
- iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and
PS_DATA
as volatile, too
- iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR
- iio: ltr501: ltr501_read_ps(): add missing endianness conversion
- serial: sh-sci: Stop dmaengine transfer in sci_stop_tx()
- serial_cs: Add Option International GSM-Ready 56K/ISDN modem
- serial_cs: remove wrong GLOBETROTTER.cis entry
- ath9k: Fix kernel NULL pointer dereference during ath_reset_internal()
- ssb: sdio: Don't overwrite const buffer if block_write fails
- rsi: Assign beacon rate settings to the correct rate_info descriptor field
- seq_buf: Make trace_seq_putmem_hex() support data longer than 8
- fuse: check connected before queueing on fpq->io
- spi: Make of_register_spi_device also set the fwnode
- spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf'
- spi: spi-topcliff-pch: Fix potential double free in
pch_spi_process_messages()
- spi: omap-100k: Fix the length judgment problem
- crypto: nx - add missing MODULE_DEVICE_TABLE
- media: cpia2: fix memory leak in cpia2_usb_probe
- media: cobalt: fix race condition in setting HPD
- media: pvrusb2: fix warning in pvr2_i2c_core_done
- crypto: qat - check return code of qat_hal_rd_rel_reg()
- crypto: qat - remove unused macro in FW loader
- media: em28xx: Fix possible memory leak of em28xx struct
- media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release
- media: bt8xx: Fix a missing check bug in bt878_probe
- media: st-hva: Fix potential NULL pointer dereferences
- media: dvd_usb: memory leak in cinergyt2_fe_attach
- mmc: via-sdmmc: add a check against NULL pointer dereference
- crypto: shash - avoid comparing pointers to exported functions under CFI
- media: dvb_net: avoid speculation from net slot
- media: siano: fix device register error path
- btrfs: fix error handling in __btrfs_update_delayed_inode
- btrfs: abort transaction if
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
Tested on bionic-proposed using the test binary that can be obtained in the old description and it worked as expected: root@ubuntu:~# gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid path: /proc/1/ns/pid rpath: pid:[4026531836] root@ubuntu:~# uname -a Linux ubuntu 4.15.0-156-generic #163-Ubuntu SMP Thu Aug 19 23:31:58 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1890848 Title: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Fix Committed Bug description: SRU Justification: [Impact] Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when only 'ptrace read' should be required according to 'man namespaces': "Permission to dereference or read (readlink(2)) these symbolic links is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2)." [Fix] Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace read check. [Test Plan] BugLink contains the source of a binary that reproduces the issue. In summary, it executes readlink() on /proc/*/ns/*. There's also a policy that has only 'ptrace read' permission. When the bug is fixed, execution is allowed. [Where problems could occur] The regression can be considered as low, since it's lowering the number of permissions required. Existing policies that already contain the permission 'ptrace trace' and 'ptrace read' will have a broader policy than required. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1890848 Title: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Fix Committed Bug description: SRU Justification: [Impact] Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when only 'ptrace read' should be required according to 'man namespaces': "Permission to dereference or read (readlink(2)) these symbolic links is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2)." [Fix] Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace read check. [Test Plan] BugLink contains the source of a binary that reproduces the issue. In summary, it executes readlink() on /proc/*/ns/*. There's also a policy that has only 'ptrace read' permission. When the bug is fixed, execution is allowed. [Where problems could occur] The regression can be considered as low, since it's lowering the number of permissions required. Existing policies that already contain the permission 'ptrace trace' and 'ptrace read' will have a broader policy than required. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
** Changed in: linux (Ubuntu Bionic) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1890848 Title: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Fix Committed Bug description: SRU Justification: [Impact] Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when only 'ptrace read' should be required according to 'man namespaces': "Permission to dereference or read (readlink(2)) these symbolic links is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2)." [Fix] Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace read check. [Test Plan] BugLink contains the source of a binary that reproduces the issue. In summary, it executes readlink() on /proc/*/ns/*. There's also a policy that has only 'ptrace read' permission. When the bug is fixed, execution is allowed. [Where problems could occur] The regression can be considered as low, since it's lowering the number of permissions required. Existing policies that already contain the permission 'ptrace trace' and 'ptrace read' will have a broader policy than required. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
Also to be clear, from jjohansen's comment to me last week, all of the necessary patches are available in the 5.4 focal kernel, so kernels for UC20 from canonical snaps should contain this fix on the 20 track. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1890848 Title: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Triaged Bug description: SRU Justification: [Impact] Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when only 'ptrace read' should be required according to 'man namespaces': "Permission to dereference or read (readlink(2)) these symbolic links is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2)." [Fix] Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace read check. [Test Plan] BugLink contains the source of a binary that reproduces the issue. In summary, it executes readlink() on /proc/*/ns/*. There's also a policy that has only 'ptrace read' permission. When the bug is fixed, execution is allowed. [Where problems could occur] The regression can be considered as low, since it's lowering the number of permissions required. Existing policies that already contain the permission 'ptrace trace' and 'ptrace read' will have a broader policy than required. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
>From the commits mentioned that solve the issue, 338d0be437ef was not
available on 4.15 kernels. The cherry-pick was submitted to the kernel
team for approval.
** Description changed:
- Per 'man namespaces':
+ SRU Justification:
- "Permission to dereference or read (readlink(2)) these symbolic links is
- governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
+ [Impact]
+ Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
+ only 'ptrace read' should be required according to 'man namespaces':
+
+ "Permission to dereference or read (readlink(2)) these symbolic links
+ is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
- This suggests that a 'ptrace read' rule should be sufficient to
- readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
- (Ubuntu 20.04 LTS).
+ [Fix]
- However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
- Here is a reproducer:
+ Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace
+ read check.
- $ cat ./readlink-ns.c
- #include
- #include
- #include
- #include
- #include
- #include
- #include
+ [Test Plan]
- void usage() {
- fprintf(stderr, "Usage: readlink-ns -p -n \n");
- }
+ BugLink contains the source of a binary that reproduces the issue. In
+ summary, it executes readlink() on /proc/*/ns/*. There's also a policy
+ that has only 'ptrace read' permission. When the bug is fixed,
+ execution is allowed.
- int main(int argc, char *argv[])
- {
- pid_t pid = 0;
- char *ns = NULL;
- char path[PATH_MAX] = {};
- char rpath[PATH_MAX] = {};
- int c;
+ [Where problems could occur]
- while ((c = getopt(argc, argv, "hn:p:")) != -1) {
- switch(c) {
- case 'n':
- ns = optarg;
- break;
- case 'p':
- pid = atoi(optarg);
- break;
- case 'h':
- usage();
- return 0;
- case '?':
- usage();
- return 1;
- default:
- return 1;
- }
- }
-
- int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
- if (n < 0 || (size_t)n >= sizeof(path)) {
- fprintf(stderr, "cannot format string\n");
- return 1;
- }
- path[n] = '\0';
- printf("path: %s\n", path);
-
- n = readlink(path, rpath, sizeof(rpath));
- if (n < 0) {
- perror("readlink()");
- return 1;
- } else if (n == sizeof(rpath)) {
- fprintf(stderr, "cannot readlink()\n");
- return 1;
- }
- printf("rpath: %s\n", rpath);
-
- return 0;
- }
-
- $ cat ./readlink-ns.apparmor
- #include
-
- profile test {
- #include
-
- # focal
- ptrace (read) peer="unconfined",
-
- # xenial, bionic
- #ptrace (trace) peer="unconfined",
- }
-
-
- # bionic and xenial need 'ptrace trace'
- $ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
- path: /proc/1/ns/pid
- readlink(): Permission denied
-
- Denial:
- Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400
audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test"
pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace"
peer="unconfined"
-
-
- # focal needs only 'ptrace read'
- $ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
- path: /proc/1/ns/pid
- rpath: pid:[4026531836]
+ The regression can be considered as low, since it's lowering the number
+ of permissions required. Existing policies that already contain the
+ permission 'ptrace trace' and 'ptrace read' will have a broader policy
+ than required.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files on older
kernels
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Triaged
Status in linux source package in Bionic:
Triaged
Bug description:
SRU Justification:
[Impact]
Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
only 'ptrace read' should be required according to 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links
is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
[Fix]
Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace
read check.
[Test Plan]
BugLink contains the source of
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
FYI, John provided me a test kernel for 18.04 and it resolved the issue.
This will be the basis of the SRU.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files on older
kernels
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Triaged
Status in linux source package in Bionic:
Triaged
Bug description:
Per 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
This suggests that a 'ptrace read' rule should be sufficient to
readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
(Ubuntu 20.04 LTS).
However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
Here is a reproducer:
$ cat ./readlink-ns.c
#include
#include
#include
#include
#include
#include
#include
void usage() {
fprintf(stderr, "Usage: readlink-ns -p -n \n");
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
char *ns = NULL;
char path[PATH_MAX] = {};
char rpath[PATH_MAX] = {};
int c;
while ((c = getopt(argc, argv, "hn:p:")) != -1) {
switch(c) {
case 'n':
ns = optarg;
break;
case 'p':
pid = atoi(optarg);
break;
case 'h':
usage();
return 0;
case '?':
usage();
return 1;
default:
return 1;
}
}
int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
if (n < 0 || (size_t)n >= sizeof(path)) {
fprintf(stderr, "cannot format string\n");
return 1;
}
path[n] = '\0';
printf("path: %s\n", path);
n = readlink(path, rpath, sizeof(rpath));
if (n < 0) {
perror("readlink()");
return 1;
} else if (n == sizeof(rpath)) {
fprintf(stderr, "cannot readlink()\n");
return 1;
}
printf("rpath: %s\n", rpath);
return 0;
}
$ cat ./readlink-ns.apparmor
#include
profile test {
#include
# focal
ptrace (read) peer="unconfined",
# xenial, bionic
#ptrace (trace) peer="unconfined",
}
# bionic and xenial need 'ptrace trace'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
readlink(): Permission denied
Denial:
Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400
audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test"
pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace"
peer="unconfined"
# focal needs only 'ptrace read'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
I spoke with John and he plans to SRU this. Marking as triaged and
assigning to him. Thanks John!
** Changed in: linux (Ubuntu Xenial)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Xenial)
Status: Confirmed => Triaged
** Changed in: linux (Ubuntu Bionic)
Status: Confirmed => Triaged
** Changed in: linux (Ubuntu Bionic)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: linux (Ubuntu Bionic)
Assignee: (unassigned) => John Johansen (jjohansen)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files on older
kernels
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Triaged
Status in linux source package in Bionic:
Triaged
Bug description:
Per 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
This suggests that a 'ptrace read' rule should be sufficient to
readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
(Ubuntu 20.04 LTS).
However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
Here is a reproducer:
$ cat ./readlink-ns.c
#include
#include
#include
#include
#include
#include
#include
void usage() {
fprintf(stderr, "Usage: readlink-ns -p -n \n");
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
char *ns = NULL;
char path[PATH_MAX] = {};
char rpath[PATH_MAX] = {};
int c;
while ((c = getopt(argc, argv, "hn:p:")) != -1) {
switch(c) {
case 'n':
ns = optarg;
break;
case 'p':
pid = atoi(optarg);
break;
case 'h':
usage();
return 0;
case '?':
usage();
return 1;
default:
return 1;
}
}
int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
if (n < 0 || (size_t)n >= sizeof(path)) {
fprintf(stderr, "cannot format string\n");
return 1;
}
path[n] = '\0';
printf("path: %s\n", path);
n = readlink(path, rpath, sizeof(rpath));
if (n < 0) {
perror("readlink()");
return 1;
} else if (n == sizeof(rpath)) {
fprintf(stderr, "cannot readlink()\n");
return 1;
}
printf("rpath: %s\n", rpath);
return 0;
}
$ cat ./readlink-ns.apparmor
#include
profile test {
#include
# focal
ptrace (read) peer="unconfined",
# xenial, bionic
#ptrace (trace) peer="unconfined",
}
# bionic and xenial need 'ptrace trace'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
readlink(): Permission denied
Denial:
Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400
audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test"
pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace"
peer="unconfined"
# focal needs only 'ptrace read'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
Thanks John! Is this something that we can get into the next SRU cycle?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files on older
kernels
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Confirmed
Status in linux source package in Bionic:
Confirmed
Bug description:
Per 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
This suggests that a 'ptrace read' rule should be sufficient to
readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
(Ubuntu 20.04 LTS).
However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
Here is a reproducer:
$ cat ./readlink-ns.c
#include
#include
#include
#include
#include
#include
#include
void usage() {
fprintf(stderr, "Usage: readlink-ns -p -n \n");
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
char *ns = NULL;
char path[PATH_MAX] = {};
char rpath[PATH_MAX] = {};
int c;
while ((c = getopt(argc, argv, "hn:p:")) != -1) {
switch(c) {
case 'n':
ns = optarg;
break;
case 'p':
pid = atoi(optarg);
break;
case 'h':
usage();
return 0;
case '?':
usage();
return 1;
default:
return 1;
}
}
int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
if (n < 0 || (size_t)n >= sizeof(path)) {
fprintf(stderr, "cannot format string\n");
return 1;
}
path[n] = '\0';
printf("path: %s\n", path);
n = readlink(path, rpath, sizeof(rpath));
if (n < 0) {
perror("readlink()");
return 1;
} else if (n == sizeof(rpath)) {
fprintf(stderr, "cannot readlink()\n");
return 1;
}
printf("rpath: %s\n", rpath);
return 0;
}
$ cat ./readlink-ns.apparmor
#include
profile test {
#include
# focal
ptrace (read) peer="unconfined",
# xenial, bionic
#ptrace (trace) peer="unconfined",
}
# bionic and xenial need 'ptrace trace'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
readlink(): Permission denied
Denial:
Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400
audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test"
pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace"
peer="unconfined"
# focal needs only 'ptrace read'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
We didn't pick this up automatically because its fixes tag is for when
ptrace rules landed upstream. But ubuntu was carrying ptrace rules prior
to this
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files on older
kernels
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Confirmed
Status in linux source package in Bionic:
Confirmed
Bug description:
Per 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
This suggests that a 'ptrace read' rule should be sufficient to
readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
(Ubuntu 20.04 LTS).
However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
Here is a reproducer:
$ cat ./readlink-ns.c
#include
#include
#include
#include
#include
#include
#include
void usage() {
fprintf(stderr, "Usage: readlink-ns -p -n \n");
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
char *ns = NULL;
char path[PATH_MAX] = {};
char rpath[PATH_MAX] = {};
int c;
while ((c = getopt(argc, argv, "hn:p:")) != -1) {
switch(c) {
case 'n':
ns = optarg;
break;
case 'p':
pid = atoi(optarg);
break;
case 'h':
usage();
return 0;
case '?':
usage();
return 1;
default:
return 1;
}
}
int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
if (n < 0 || (size_t)n >= sizeof(path)) {
fprintf(stderr, "cannot format string\n");
return 1;
}
path[n] = '\0';
printf("path: %s\n", path);
n = readlink(path, rpath, sizeof(rpath));
if (n < 0) {
perror("readlink()");
return 1;
} else if (n == sizeof(rpath)) {
fprintf(stderr, "cannot readlink()\n");
return 1;
}
printf("rpath: %s\n", rpath);
return 0;
}
$ cat ./readlink-ns.apparmor
#include
profile test {
#include
# focal
ptrace (read) peer="unconfined",
# xenial, bionic
#ptrace (trace) peer="unconfined",
}
# bionic and xenial need 'ptrace trace'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
readlink(): Permission denied
Denial:
Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400
audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test"
pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace"
peer="unconfined"
# focal needs only 'ptrace read'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
We need to pick the upstream fix
338d0be437ef apparmor: fix ptrace read check
and we should probably pick
1f8266ff5884 (fix-setuid) apparmor: don't try to replace stale label in
ptrace access check
to avoid other problems.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files on older
kernels
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Confirmed
Status in linux source package in Bionic:
Confirmed
Bug description:
Per 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
This suggests that a 'ptrace read' rule should be sufficient to
readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
(Ubuntu 20.04 LTS).
However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
Here is a reproducer:
$ cat ./readlink-ns.c
#include
#include
#include
#include
#include
#include
#include
void usage() {
fprintf(stderr, "Usage: readlink-ns -p -n \n");
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
char *ns = NULL;
char path[PATH_MAX] = {};
char rpath[PATH_MAX] = {};
int c;
while ((c = getopt(argc, argv, "hn:p:")) != -1) {
switch(c) {
case 'n':
ns = optarg;
break;
case 'p':
pid = atoi(optarg);
break;
case 'h':
usage();
return 0;
case '?':
usage();
return 1;
default:
return 1;
}
}
int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
if (n < 0 || (size_t)n >= sizeof(path)) {
fprintf(stderr, "cannot format string\n");
return 1;
}
path[n] = '\0';
printf("path: %s\n", path);
n = readlink(path, rpath, sizeof(rpath));
if (n < 0) {
perror("readlink()");
return 1;
} else if (n == sizeof(rpath)) {
fprintf(stderr, "cannot readlink()\n");
return 1;
}
printf("rpath: %s\n", rpath);
return 0;
}
$ cat ./readlink-ns.apparmor
#include
profile test {
#include
# focal
ptrace (read) peer="unconfined",
# xenial, bionic
#ptrace (trace) peer="unconfined",
}
# bionic and xenial need 'ptrace trace'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
readlink(): Permission denied
Denial:
Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400
audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test"
pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace"
peer="unconfined"
# focal needs only 'ptrace read'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1890848] Re: 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
** Summary changed:
- 'ptrace trace' needed to readlink() /proc/*/ns/* files
+ 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files on older
kernels
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Confirmed
Status in linux source package in Bionic:
Confirmed
Bug description:
Per 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
This suggests that a 'ptrace read' rule should be sufficient to
readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
(Ubuntu 20.04 LTS).
However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
Here is a reproducer:
$ cat ./readlink-ns.c
#include
#include
#include
#include
#include
#include
#include
void usage() {
fprintf(stderr, "Usage: readlink-ns -p -n \n");
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
char *ns = NULL;
char path[PATH_MAX] = {};
char rpath[PATH_MAX] = {};
int c;
while ((c = getopt(argc, argv, "hn:p:")) != -1) {
switch(c) {
case 'n':
ns = optarg;
break;
case 'p':
pid = atoi(optarg);
break;
case 'h':
usage();
return 0;
case '?':
usage();
return 1;
default:
return 1;
}
}
int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
if (n < 0 || (size_t)n >= sizeof(path)) {
fprintf(stderr, "cannot format string\n");
return 1;
}
path[n] = '\0';
printf("path: %s\n", path);
n = readlink(path, rpath, sizeof(rpath));
if (n < 0) {
perror("readlink()");
return 1;
} else if (n == sizeof(rpath)) {
fprintf(stderr, "cannot readlink()\n");
return 1;
}
printf("rpath: %s\n", rpath);
return 0;
}
$ cat ./readlink-ns.apparmor
#include
profile test {
#include
# focal
ptrace (read) peer="unconfined",
# xenial, bionic
#ptrace (trace) peer="unconfined",
}
# bionic and xenial need 'ptrace trace'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
readlink(): Permission denied
Denial:
Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400
audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test"
pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace"
peer="unconfined"
# focal needs only 'ptrace read'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
