** Description changed: [Impact] Hello - When we are using removable smartcard to authenticate, basically we set - cert in /etc/sssd/pki/ as doc[1] says. and we have issue with Permission - Denied. + one of our customer wanted to use smartcard as a authentication device in sssd & windows AD environment. + But they can't do it because of apparmor DENIED. - If we put /etc/sssd/pki/** r, in apparmor profile. it works. + In the beginning they only mentioned + /etc/sssd/pki/ and /etc/sssd/pki/** r, also doc [1] mentioned the guide. so I only mentioned it. after that, the customer added contents about it. + Then I thought I needed reproducer about this. so I ordered Yubikey 5 NFC which supports the PIV Smart Card. and tried to reproduce this with Fabio's reproducer. - Although the path could be set to different path but no specific path - for it and we mentioned it in doc[1] so It would be good if we can add - above path to apparmor profile. + then I can reproduce this. - man page(over 2.0) has the path so I uploaded patch from F to Q + But the symptom the customer encountered and I saw is a little bit + different. so I would like to ask you to have a discussion further. [1] https://manpages.ubuntu.com/manpages/noble/man5/sssd.conf.5.html [Test Case] - I don't have 100% the same reproducer but I can test simple one. - sudo aa-exec -p /usr/sbin/sssd -- cat /etc/sssd/pki/sssd_auth_ca_db.pem + 1. Deploy Windows Server and enable AD + 2. refered to this. + - https://pastebin.canonical.com/p/tqNZ2435yC/ + + First, I got DENIED like belows.( /etc/sssd/pki/ and /etc/sssd/pki/** r + not included but it affects) + + Jun 1 23:27:52 seyeongkim kernel: [ 424.733567] audit: type=1400 audit(1748820472.096:99): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/proc/12852/cmdline" pid=858 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + Jun 1 23:28:04 seyeongkim kernel: [ 437.104690] audit: type=1400 audit(1748820484.468:100): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + Jun 1 23:28:04 seyeongkim sssd[12855]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release + Jun 1 23:28:04 seyeongkim kernel: [ 437.106850] audit: type=1400 audit(1748820484.472:101): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + Jun 1 23:28:17 seyeongkim sssd[12856]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release + Jun 1 23:28:17 seyeongkim kernel: [ 449.783639] audit: type=1400 audit(1748820497.148:102): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + Jun 1 23:28:17 seyeongkim kernel: [ 449.784694] audit: type=1400 audit(1748820497.148:103): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + + then I added them to apparmor profile + + /etc/sssd/pki/ r, + /etc/sssd/pki/** r, + @{PROC}/[0-9]*/cmdline r, + /usr/share/p11-kit/modules/ r, + /usr/share/p11-kit/modules/** r, + /etc/ssl/openssl.cnf r, + + But I encountered another DENIGED ( I could use auth with smartcard this + point ) + + Jun 1 23:57:42 seyeongkim kernel: [ 2215.357322] audit: type=1400 audit(1748822262.770:188): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + Jun 1 23:57:42 seyeongkim kernel: [ 2215.357860] audit: type=1400 audit(1748822262.770:189): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + Jun 1 23:57:42 seyeongkim kernel: [ 2215.359017] audit: type=1400 audit(1748822262.770:190): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/opensc/opensc.conf" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + Jun 1 23:57:42 seyeongkim kernel: [ 2215.363484] audit: type=1400 audit(1748822262.774:191): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 + Jun 1 23:57:42 seyeongkim kernel: [ 2215.363606] audit: type=1400 audit(1748822262.774:192): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 + + /run/pcscd/* wr, + /etc/machine-id r, + /etc/opensc/opensc.conf r, + + For me, above was the reproducer but the customer mentioned that they + need to add belows by testing. + + capability net_admin, + /etc/sssd/pki/ r, + /etc/sssd/pki/** r, + /usr/share/p11-kit/modules/ r, + /usr/share/p11-kit/modules/* r, + /run/pcscd/* wr, + /etc/machine-id r, + /etc/opensc/opensc.conf r, + [Where problems could occur] - sssd will have more permission in /etc/sssd/pki/ + TBD [Others]
** Description changed: [Impact] Hello one of our customer wanted to use smartcard as a authentication device in sssd & windows AD environment. But they can't do it because of apparmor DENIED. - In the beginning they only mentioned - /etc/sssd/pki/ and /etc/sssd/pki/** r, also doc [1] mentioned the guide. so I only mentioned it. after that, the customer added contents about it. - Then I thought I needed reproducer about this. so I ordered Yubikey 5 NFC which supports the PIV Smart Card. and tried to reproduce this with Fabio's reproducer. + In the beginning they only mentioned + /etc/sssd/pki/ and /etc/sssd/pki/** r, also doc [1] mentioned the guide. so I only mentioned it here. After that, the customer added contents more they faced apparmor DENIED. + Then I thought I needed a reproducer about this. so I ordered Yubikey 5 NFC which supports the PIV Smart Card. and tried to reproduce this with Fabio's reproducer. - then I can reproduce this. + Then I can reproduce this. But the symptom the customer encountered and I saw is a little bit different. so I would like to ask you to have a discussion further. + + Please refer to Test Case section. [1] https://manpages.ubuntu.com/manpages/noble/man5/sssd.conf.5.html [Test Case] 1. Deploy Windows Server and enable AD - 2. refered to this. + 2. refered to this. - https://pastebin.canonical.com/p/tqNZ2435yC/ First, I got DENIED like belows.( /etc/sssd/pki/ and /etc/sssd/pki/** r not included but it affects) Jun 1 23:27:52 seyeongkim kernel: [ 424.733567] audit: type=1400 audit(1748820472.096:99): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/proc/12852/cmdline" pid=858 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim kernel: [ 437.104690] audit: type=1400 audit(1748820484.468:100): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim sssd[12855]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:04 seyeongkim kernel: [ 437.106850] audit: type=1400 audit(1748820484.472:101): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim sssd[12856]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:17 seyeongkim kernel: [ 449.783639] audit: type=1400 audit(1748820497.148:102): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim kernel: [ 449.784694] audit: type=1400 audit(1748820497.148:103): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 then I added them to apparmor profile - /etc/sssd/pki/ r, - /etc/sssd/pki/** r, - @{PROC}/[0-9]*/cmdline r, - /usr/share/p11-kit/modules/ r, - /usr/share/p11-kit/modules/** r, - /etc/ssl/openssl.cnf r, + /etc/sssd/pki/ r, + /etc/sssd/pki/** r, + @{PROC}/[0-9]*/cmdline r, + /usr/share/p11-kit/modules/ r, + /usr/share/p11-kit/modules/** r, + /etc/ssl/openssl.cnf r, But I encountered another DENIGED ( I could use auth with smartcard this point ) Jun 1 23:57:42 seyeongkim kernel: [ 2215.357322] audit: type=1400 audit(1748822262.770:188): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.357860] audit: type=1400 audit(1748822262.770:189): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.359017] audit: type=1400 audit(1748822262.770:190): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/opensc/opensc.conf" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363484] audit: type=1400 audit(1748822262.774:191): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363606] audit: type=1400 audit(1748822262.774:192): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 - /run/pcscd/* wr, - /etc/machine-id r, - /etc/opensc/opensc.conf r, + /run/pcscd/* wr, + /etc/machine-id r, + /etc/opensc/opensc.conf r, For me, above was the reproducer but the customer mentioned that they need to add belows by testing. - capability net_admin, - /etc/sssd/pki/ r, - /etc/sssd/pki/** r, - /usr/share/p11-kit/modules/ r, - /usr/share/p11-kit/modules/* r, - /run/pcscd/* wr, - /etc/machine-id r, - /etc/opensc/opensc.conf r, - + capability net_admin, + /etc/sssd/pki/ r, + /etc/sssd/pki/** r, + /usr/share/p11-kit/modules/ r, + /usr/share/p11-kit/modules/* r, + /run/pcscd/* wr, + /etc/machine-id r, + /etc/opensc/opensc.conf r, [Where problems could occur] TBD [Others] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2109673 Title: Authentication with smartcard is not working with apparmor DENIED To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2109673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
