AppArmor

attach_disconnected required when accessing nsfs magic file

Bug #1632730 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Confirmed
Wishlist
Unassigned

Bug Description

Use an up to date uvt 16.04 VM. There is certainly a simpler reproducer but for now just adding this so it is captured

1. $ sudo apt-get install --no-install-recommends nagios-nrpe-server nagios-plugins-basic nagios-nrpe-plugin

2. Create /etc/nagios/nrpe_local.cfg to have:
######################################
# Do any local nrpe configuration here
######################################
server_port=5666
allowed_hosts=127.0.0.1

command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -A -i '.gvfs' -i '/snap/'

3. restart nrpe:
$ sudo service nagios-nrpe-server stop
$ sudo service nagios-nrpe-server start

4. verify 'check_all_disks' works without confinement or snaps:
$ /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 -c check_all_disks
DISK OK - free space: ...

5. Confine the nrpe server by creating /etc/apparmor.d
# Last Modified: Sat Jul 21 08:46:57 2012
#include <tunables/global>

/usr/sbin/nrpe {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/wutmp>

  capability setgid,
  capability setuid,
  capability dac_override,

  /usr/sbin/nrpe mr,
  signal (send) peer=/usr/lib/nagios/plugins/*,
  signal (send) peer=/etc/nagios-plugins/*,

  /bin/dash rix,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  /etc/nagios/** r,
  /{,var/}run/nagios/nrpe.pid w,
  /usr/bin/who rix,

  /usr/lib/nagios/plugins/check_disk Pxr,
}

/usr/lib/nagios/plugins/check_disk {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  signal (receive) peer=/usr/sbin/nrpe,

  /etc/mtab r,
  @{PROC}/@{pid}/mounts r,
}

6. Load the profile and restart the daemon:
$ sudo apparmor_parser -r /etc/apparmor.d/nrpe
$ sudo service nagios-nrpe-server stop
$ sudo service nagios-nrpe-server start
$ sudo aa-status | grep nrpe
   /usr/sbin/nrpe
   /usr/sbin/nrpe (11439)

7. verify confined nrpe works:
$ /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 -c check_all_disks
DISK OK - free space: ...

8. setup a nsfs magic file (eg, could do it with snap-confine, but ip netns is easier):
$ sudo ip netns add test

9. try nrpe:
$ /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 -c check_all_disks
DISK CRITICAL - /run/netns/test is not accessible: Permission denied

kernel: [ 2348.037484] audit: type=1400 audit(1476282354.161:40): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/nagios/plugins/check_disk" name="" pid=11705 comm="check_disk" requested_mask="r" denied_mask="r" fsuid=122 ouid=0

You can remove the nsfs magic file with: 'sudo ip netns del test'

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

As a workaround for anyone using nrpe, use '-X nsfs' with check_disk. Eg:
command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -A -X squashfs -X nsfs

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.