[Touch-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.1
---
apparmor (2.8.95~2430-0ubuntu5.1) trusty-security; urgency=medium
* SECURITY UPDATE: An AppArmor profile compilation bug may result in
applications being confined in a way that is inconsistent with the profile
author's intent. The compilation bug is specific to certain combinations
of AppArmor rule types and conditionals of those rule types.
(LP: #1390592)
- debian/patches/fix-esc-seq-interp.patch: Fix the profile compilation bug
by limiting the number of bytes that are consumed when interpreting
hexadecimal, octal, and decimal escape sequences
- debian/patches/tests-allow-arbitrary-profile-names.patch,
debian/patches/tests-add-ptrace-tests-for-lp1390592.patch: Add
regression tests for the profile compilation bug
- CVE-2014-1424
-- Tyler Hicks tyhi...@canonical.com Fri, 14 Nov 2014 13:46:22 -0600
** Changed in: apparmor (Ubuntu Trusty)
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1390592
Title:
'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with
docker
Status in “apparmor” package in Ubuntu:
Fix Released
Status in “apparmor” source package in Trusty:
Fix Released
Bug description:
I was helping a docker user out in #apparmor on OFTC and I think we
found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see
below).
Workaround: install the https://launchpad.net/ubuntu/+source/linux-
lts-utopic kernel.
$ cat /proc/version_signature
Ubuntu 3.13.0-37.64-generic 3.13.11.7
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host, which should have been
addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400
audit(1415389422.303:68): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=trace
denied_mask=trace peer=docker-default
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400
audit(1415389422.307:69): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=read
denied_mask=read peer=docker-default
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400
audit(1415389422.307:70): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=read
denied_mask=read peer=docker-default
Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
works as expected (note, the policy is different on 14.10 and it
already has the rule from step 1). Ubuntu 14.04 with the linux-lts-
utopic backport kernel also works (from trusty-proposed: sudo apt-get
install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic
linux-image-extra-3.16.0-25-generic).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the
policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
This is CVE-2014-1424
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-1424
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1390592
Title:
'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with
docker
Status in “apparmor” package in Ubuntu:
Fix Released
Status in “apparmor” source package in Trusty:
In Progress
Bug description:
I was helping a docker user out in #apparmor on OFTC and I think we
found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see
below).
Workaround: install the https://launchpad.net/ubuntu/+source/linux-
lts-utopic kernel.
$ cat /proc/version_signature
Ubuntu 3.13.0-37.64-generic 3.13.11.7
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host, which should have been
addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400
audit(1415389422.303:68): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=trace
denied_mask=trace peer=docker-default
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400
audit(1415389422.307:69): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=read
denied_mask=read peer=docker-default
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400
audit(1415389422.307:70): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=read
denied_mask=read peer=docker-default
Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
works as expected (note, the policy is different on 14.10 and it
already has the rule from step 1). Ubuntu 14.04 with the linux-lts-
utopic backport kernel also works (from trusty-proposed: sudo apt-get
install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic
linux-image-extra-3.16.0-25-generic).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the
policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
I may need to take another approach instead of replacing add-decimal-
interp.patch with upstream commit r2456. While this bug is fixed, the
regression test suite hits some new failures. The commit message of
upstream commit r2541 explains the problem (and changes the tests):
Earlier fixes to the parser's handling of escape sequences involving '\'
caused a behavioral change that profiles no longer needed to contain
'\\' before an octal escape sequence.
I don't feel like that kind of change is acceptable in an SRU. I'll dig
into the r2456 patch some more and see if I can pull out only the binary
encoding bug fix.
** Changed in: apparmor (Ubuntu Trusty)
Status: Triaged = In Progress
** Changed in: apparmor (Ubuntu Trusty)
Assignee: (unassigned) = Tyler Hicks (tyhicks)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1390592
Title:
'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with
docker
Status in “apparmor” package in Ubuntu:
Fix Released
Status in “apparmor” source package in Trusty:
In Progress
Bug description:
I was helping a docker user out in #apparmor on OFTC and I think we
found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see
below).
Workaround: install the https://launchpad.net/ubuntu/+source/linux-
lts-utopic kernel.
$ cat /proc/version_signature
Ubuntu 3.13.0-37.64-generic 3.13.11.7
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host, which should have been
addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400
audit(1415389422.303:68): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=trace
denied_mask=trace peer=docker-default
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400
audit(1415389422.307:69): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=read
denied_mask=read peer=docker-default
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400
audit(1415389422.307:70): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=read
denied_mask=read peer=docker-default
Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
works as expected (note, the policy is different on 14.10 and it
already has the rule from step 1). Ubuntu 14.04 with the linux-lts-
utopic backport kernel also works (from trusty-proposed: sudo apt-get
install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic
linux-image-extra-3.16.0-25-generic).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the
policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
Per Tyler, this is fixed in r2456. In 14.04, add-decimal-interp.patch
should be removed in favor of this patch.
** No longer affects: linux (Ubuntu)
** Also affects: apparmor (Ubuntu Trusty)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu)
Status: Confirmed = Fix Released
** Changed in: apparmor (Ubuntu Trusty)
Status: New = Triaged
** Changed in: apparmor (Ubuntu Trusty)
Importance: Undecided = High
** Tags removed: aa-kernel
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1390592
Title:
'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with
docker
Status in “apparmor” package in Ubuntu:
Fix Released
Status in “apparmor” source package in Trusty:
Triaged
Bug description:
I was helping a docker user out in #apparmor on OFTC and I think we
found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see
below).
Workaround: install the https://launchpad.net/ubuntu/+source/linux-
lts-utopic kernel.
$ cat /proc/version_signature
Ubuntu 3.13.0-37.64-generic 3.13.11.7
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host, which should have been
addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400
audit(1415389422.303:68): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=trace
denied_mask=trace peer=docker-default
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400
audit(1415389422.307:69): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=read
denied_mask=read peer=docker-default
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400
audit(1415389422.307:70): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=read
denied_mask=read peer=docker-default
Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
works as expected (note, the policy is different on 14.10 and it
already has the rule from step 1). Ubuntu 14.04 with the linux-lts-
utopic backport kernel also works (from trusty-proposed: sudo apt-get
install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic
linux-image-extra-3.16.0-25-generic).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the
policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
I'm fairly certain that this is a parser bug and not a kernel bug. The
dfa-states output for the profile profile XYZ { ptrace
peer=@{profile_name}, } changes between 14.04 and 14.10. Also, I can
pull down lp:apparmor and build a parser, on 14.04, that doesn't exhibit
the behavior described in this bug report. I'm still trying to narrow
down the upstream parser commit(s) that fix this bug.
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu)
Importance: Undecided = High
** Changed in: apparmor (Ubuntu)
Status: New = Confirmed
** Tags added: aa-parser
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1390592
Title:
'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with
docker
Status in “apparmor” package in Ubuntu:
Confirmed
Status in “linux” package in Ubuntu:
Confirmed
Bug description:
I was helping a docker user out in #apparmor on OFTC and I think we
found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see
below).
Workaround: install the https://launchpad.net/ubuntu/+source/linux-
lts-utopic kernel.
$ cat /proc/version_signature
Ubuntu 3.13.0-37.64-generic 3.13.11.7
Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
Then observe the following denials on the host, which should have been
addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400
audit(1415389422.303:68): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=trace
denied_mask=trace peer=docker-default
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400
audit(1415389422.307:69): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=read
denied_mask=read peer=docker-default
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400
audit(1415389422.307:70): apparmor=DENIED operation=ptrace
profile=docker-default pid=27542 comm=ps requested_mask=read
denied_mask=read peer=docker-default
Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
works as expected (note, the policy is different on 14.10 and it
already has the rule from step 1). Ubuntu 14.04 with the linux-lts-
utopic backport kernel also works (from trusty-proposed: sudo apt-get
install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic
linux-image-extra-3.16.0-25-generic).
Note, docker is different than most applications in that it embeds its
policy inside the docker binary and this binary when launched as a
daemon (ie, via the upstart job) will unconditionally write out the
policy to /etc/apparmor.d/docker-default. As such, to modify the
policy:
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@5039d725a41d:/# ps
...
root@5039d725a41d:/# exit
$
(Docker just added a way to specify an alternate existing profile in
https://docs.docker.com/reference/run/#security-configuration).
Reference: https://github.com/docker/docker/issues/7276
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
