[Touch-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.1 --- apparmor (2.8.95~2430-0ubuntu5.1) trusty-security; urgency=medium * SECURITY UPDATE: An AppArmor profile compilation bug may result in applications being confined in a way that is inconsistent with the profile author's intent. The compilation bug is specific to certain combinations of AppArmor rule types and conditionals of those rule types. (LP: #1390592) - debian/patches/fix-esc-seq-interp.patch: Fix the profile compilation bug by limiting the number of bytes that are consumed when interpreting hexadecimal, octal, and decimal escape sequences - debian/patches/tests-allow-arbitrary-profile-names.patch, debian/patches/tests-add-ptrace-tests-for-lp1390592.patch: Add regression tests for the profile compilation bug - CVE-2014-1424 -- Tyler Hicks tyhi...@canonical.com Fri, 14 Nov 2014 13:46:22 -0600 ** Changed in: apparmor (Ubuntu Trusty) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1390592 Title: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor” source package in Trusty: Fix Released Bug description: I was helping a docker user out in #apparmor on OFTC and I think we found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see below). Workaround: install the https://launchpad.net/ubuntu/+source/linux- lts-utopic kernel. $ cat /proc/version_signature Ubuntu 3.13.0-37.64-generic 3.13.11.7 Steps to reproduce: 1. adjust /etc/apparmor.d/abstractions/base to have: ptrace peer=@{profile_name}, 2. sudo apt-get install docker.io 3. sudo docker pull ubuntu:trusty 4. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ Then observe the following denials on the host, which should have been addressed in the rule added in step 1: Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=trace denied_mask=trace peer=docker-default Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=read denied_mask=read peer=docker-default Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=read denied_mask=read peer=docker-default Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10 works as expected (note, the policy is different on 14.10 and it already has the rule from step 1). Ubuntu 14.04 with the linux-lts- utopic backport kernel also works (from trusty-proposed: sudo apt-get install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic linux-image-extra-3.16.0-25-generic). Note, docker is different than most applications in that it embeds its policy inside the docker binary and this binary when launched as a daemon (ie, via the upstart job) will unconditionally write out the policy to /etc/apparmor.d/docker-default. As such, to modify the policy: 0. install docker.io and pull a trusty image # only has to be done once 1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules 2. sudo stop docker.io # 'docker' on 14.10 3. sudo apparmor_parser -R /etc/apparmor.d/docker 4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker 5. sudo start docker.io # 'docker' on 14.10 6. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ (Docker just added a way to specify an alternate existing profile in https://docs.docker.com/reference/run/#security-configuration). Reference: https://github.com/docker/docker/issues/7276 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
This is CVE-2014-1424 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-1424 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1390592 Title: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor” source package in Trusty: In Progress Bug description: I was helping a docker user out in #apparmor on OFTC and I think we found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see below). Workaround: install the https://launchpad.net/ubuntu/+source/linux- lts-utopic kernel. $ cat /proc/version_signature Ubuntu 3.13.0-37.64-generic 3.13.11.7 Steps to reproduce: 1. adjust /etc/apparmor.d/abstractions/base to have: ptrace peer=@{profile_name}, 2. sudo apt-get install docker.io 3. sudo docker pull ubuntu:trusty 4. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ Then observe the following denials on the host, which should have been addressed in the rule added in step 1: Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=trace denied_mask=trace peer=docker-default Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=read denied_mask=read peer=docker-default Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=read denied_mask=read peer=docker-default Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10 works as expected (note, the policy is different on 14.10 and it already has the rule from step 1). Ubuntu 14.04 with the linux-lts- utopic backport kernel also works (from trusty-proposed: sudo apt-get install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic linux-image-extra-3.16.0-25-generic). Note, docker is different than most applications in that it embeds its policy inside the docker binary and this binary when launched as a daemon (ie, via the upstart job) will unconditionally write out the policy to /etc/apparmor.d/docker-default. As such, to modify the policy: 0. install docker.io and pull a trusty image # only has to be done once 1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules 2. sudo stop docker.io # 'docker' on 14.10 3. sudo apparmor_parser -R /etc/apparmor.d/docker 4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker 5. sudo start docker.io # 'docker' on 14.10 6. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ (Docker just added a way to specify an alternate existing profile in https://docs.docker.com/reference/run/#security-configuration). Reference: https://github.com/docker/docker/issues/7276 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
I may need to take another approach instead of replacing add-decimal- interp.patch with upstream commit r2456. While this bug is fixed, the regression test suite hits some new failures. The commit message of upstream commit r2541 explains the problem (and changes the tests): Earlier fixes to the parser's handling of escape sequences involving '\' caused a behavioral change that profiles no longer needed to contain '\\' before an octal escape sequence. I don't feel like that kind of change is acceptable in an SRU. I'll dig into the r2456 patch some more and see if I can pull out only the binary encoding bug fix. ** Changed in: apparmor (Ubuntu Trusty) Status: Triaged = In Progress ** Changed in: apparmor (Ubuntu Trusty) Assignee: (unassigned) = Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1390592 Title: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor” source package in Trusty: In Progress Bug description: I was helping a docker user out in #apparmor on OFTC and I think we found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see below). Workaround: install the https://launchpad.net/ubuntu/+source/linux- lts-utopic kernel. $ cat /proc/version_signature Ubuntu 3.13.0-37.64-generic 3.13.11.7 Steps to reproduce: 1. adjust /etc/apparmor.d/abstractions/base to have: ptrace peer=@{profile_name}, 2. sudo apt-get install docker.io 3. sudo docker pull ubuntu:trusty 4. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ Then observe the following denials on the host, which should have been addressed in the rule added in step 1: Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=trace denied_mask=trace peer=docker-default Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=read denied_mask=read peer=docker-default Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=read denied_mask=read peer=docker-default Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10 works as expected (note, the policy is different on 14.10 and it already has the rule from step 1). Ubuntu 14.04 with the linux-lts- utopic backport kernel also works (from trusty-proposed: sudo apt-get install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic linux-image-extra-3.16.0-25-generic). Note, docker is different than most applications in that it embeds its policy inside the docker binary and this binary when launched as a daemon (ie, via the upstart job) will unconditionally write out the policy to /etc/apparmor.d/docker-default. As such, to modify the policy: 0. install docker.io and pull a trusty image # only has to be done once 1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules 2. sudo stop docker.io # 'docker' on 14.10 3. sudo apparmor_parser -R /etc/apparmor.d/docker 4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker 5. sudo start docker.io # 'docker' on 14.10 6. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ (Docker just added a way to specify an alternate existing profile in https://docs.docker.com/reference/run/#security-configuration). Reference: https://github.com/docker/docker/issues/7276 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
Per Tyler, this is fixed in r2456. In 14.04, add-decimal-interp.patch should be removed in favor of this patch. ** No longer affects: linux (Ubuntu) ** Also affects: apparmor (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: Confirmed = Fix Released ** Changed in: apparmor (Ubuntu Trusty) Status: New = Triaged ** Changed in: apparmor (Ubuntu Trusty) Importance: Undecided = High ** Tags removed: aa-kernel -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1390592 Title: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor” source package in Trusty: Triaged Bug description: I was helping a docker user out in #apparmor on OFTC and I think we found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see below). Workaround: install the https://launchpad.net/ubuntu/+source/linux- lts-utopic kernel. $ cat /proc/version_signature Ubuntu 3.13.0-37.64-generic 3.13.11.7 Steps to reproduce: 1. adjust /etc/apparmor.d/abstractions/base to have: ptrace peer=@{profile_name}, 2. sudo apt-get install docker.io 3. sudo docker pull ubuntu:trusty 4. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ Then observe the following denials on the host, which should have been addressed in the rule added in step 1: Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=trace denied_mask=trace peer=docker-default Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=read denied_mask=read peer=docker-default Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=read denied_mask=read peer=docker-default Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10 works as expected (note, the policy is different on 14.10 and it already has the rule from step 1). Ubuntu 14.04 with the linux-lts- utopic backport kernel also works (from trusty-proposed: sudo apt-get install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic linux-image-extra-3.16.0-25-generic). Note, docker is different than most applications in that it embeds its policy inside the docker binary and this binary when launched as a daemon (ie, via the upstart job) will unconditionally write out the policy to /etc/apparmor.d/docker-default. As such, to modify the policy: 0. install docker.io and pull a trusty image # only has to be done once 1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules 2. sudo stop docker.io # 'docker' on 14.10 3. sudo apparmor_parser -R /etc/apparmor.d/docker 4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker 5. sudo start docker.io # 'docker' on 14.10 6. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ (Docker just added a way to specify an alternate existing profile in https://docs.docker.com/reference/run/#security-configuration). Reference: https://github.com/docker/docker/issues/7276 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
I'm fairly certain that this is a parser bug and not a kernel bug. The dfa-states output for the profile profile XYZ { ptrace peer=@{profile_name}, } changes between 14.04 and 14.10. Also, I can pull down lp:apparmor and build a parser, on 14.04, that doesn't exhibit the behavior described in this bug report. I'm still trying to narrow down the upstream parser commit(s) that fix this bug. ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Importance: Undecided = High ** Changed in: apparmor (Ubuntu) Status: New = Confirmed ** Tags added: aa-parser -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1390592 Title: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker Status in “apparmor” package in Ubuntu: Confirmed Status in “linux” package in Ubuntu: Confirmed Bug description: I was helping a docker user out in #apparmor on OFTC and I think we found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see below). Workaround: install the https://launchpad.net/ubuntu/+source/linux- lts-utopic kernel. $ cat /proc/version_signature Ubuntu 3.13.0-37.64-generic 3.13.11.7 Steps to reproduce: 1. adjust /etc/apparmor.d/abstractions/base to have: ptrace peer=@{profile_name}, 2. sudo apt-get install docker.io 3. sudo docker pull ubuntu:trusty 4. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ Then observe the following denials on the host, which should have been addressed in the rule added in step 1: Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=trace denied_mask=trace peer=docker-default Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=read denied_mask=read peer=docker-default Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor=DENIED operation=ptrace profile=docker-default pid=27542 comm=ps requested_mask=read denied_mask=read peer=docker-default Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10 works as expected (note, the policy is different on 14.10 and it already has the rule from step 1). Ubuntu 14.04 with the linux-lts- utopic backport kernel also works (from trusty-proposed: sudo apt-get install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic linux-image-extra-3.16.0-25-generic). Note, docker is different than most applications in that it embeds its policy inside the docker binary and this binary when launched as a daemon (ie, via the upstart job) will unconditionally write out the policy to /etc/apparmor.d/docker-default. As such, to modify the policy: 0. install docker.io and pull a trusty image # only has to be done once 1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules 2. sudo stop docker.io # 'docker' on 14.10 3. sudo apparmor_parser -R /etc/apparmor.d/docker 4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker 5. sudo start docker.io # 'docker' on 14.10 6. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ (Docker just added a way to specify an alternate existing profile in https://docs.docker.com/reference/run/#security-configuration). Reference: https://github.com/docker/docker/issues/7276 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp