sssd startup fails when apparmor in enforcing mode

Bug #1910611 reported by richard on 2021-01-08
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
sssd (Ubuntu)
Undecided
Sergio Durigan Junior
Focal
Undecided
Sergio Durigan Junior
Groovy
Undecided
Sergio Durigan Junior
Hirsute
Undecided
Sergio Durigan Junior

Bug Description

[ Impact ]

sssd users on Focal, Groovy and Hirsute can experience problems when setting sssd's apparmor profile to "Enforce" mode. In this scenario, apparmor will prevent sssd from being able to execute programs under the /usr/libexec/sssd/* path, which will cause the sssd service to fail to start.

Aside from the deny mentioned above, the sssd apparmor profile also needs to be updated to reflect the fact that sssd will also need to have read access to files under the /etc/sssd/conf.d/* and /etc/gss/mech.d/* directories.

[ Test Case ]

Using an LXD VM, one can:

$ lxc launch image:ubuntu/focal sssd-bug1910611-focal --vm
$ lxc shell sssd-bug1910611-focal
# apt update && apt install apparmor-utils sssd -y
...
# cat > /etc/sssd/sssd.conf << __EOF__
[sssd]
config_file_version = 2
domains = example.com

[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap01.example.com
cache_credentials = True
ldap_search_base = dc=example,dc=com
__EOF__
# chmod 0600 /etc/sssd/sssd.conf
# aa-enforce sssd
Setting /usr/sbin/sssd to enforce mode.
# systemctl restart sssd.service
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
# dmesg | grep DENIED
...
[ 2011.510479] audit: type=1400 audit(1611007899.726:370): apparmor="DENIED" operation="exec" profile="/usr/sbin/sssd" name="/usr/libexec/sssd/sssd_be" pid=3255 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2011.511822] audit: type=1400 audit(1611007899.726:371): apparmor="DENIED" operation="exec" profile="/usr/sbin/sssd" name="/usr/libexec/sssd/sssd_be" pid=3256 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

The instructions above can be replicated to test things on Groovy and Hirsute.

[ Regression Potential ]

Very little regression potential, since we are expanding the apparmor permissions of sssd, and not reducing them.

* If the user already has apparmor enabled for sssd, she will most likely have addressed these issues by herself, which means that this change will just be a duplicate of what is already on the system.

* If the user does not have apparmor enabled, then nothing will change.

[ Original Description ]

sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04.

apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance.

The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)?

Sample apparmor-notif output here:

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss
Operation: open
Name: /proc/33363/cmdline
Denied: r
Logfile: /var/log/audit/audit.log
(1498 found, most recent from 'Wed Dec 30 20:35:19 2020')

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: open
Name: /etc/hosts
Denied: r
Logfile: /var/log/audit/audit.log
(294 found, most recent from 'Thu Dec 31 02:55:41 2020')

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: mknod
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: c
Logfile: /var/log/audit/audit.log

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: open
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: wrc
Logfile: /var/log/audit/audit.log

Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: chmod
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: w
Logfile: /var/log/audit/audit.log

Related branches

richard (meusburger) wrote :

Reported issue with SSSD project on Github, and they referred my here.
Reference: https://github.com/SSSD/sssd/issues/5446

Seth Arnold (seth-arnold) wrote :

Hello Richard, it looks like the profile may not have kept up with changes in the packaging.

The profile has probably been broken ever since:

sssd (2.2.0-1) unstable; urgency=medium

  * New upstream release.
  * control: Bump policy to 4.4.0.
  * control, compat, rules: Bump debhelper to 12.
  * *.install: Updated, some files moved to /usr/libexec.

 -- Timo Aaltonen <email address hidden> Wed, 10 Jul 2019 10:14:09 +0300

Please try adding this line:

  /usr/libexec/sssd/* rmix,

to the file:

/etc/apparmor.d/local/usr.sbin.sssd

Then, try:

sudo apparmor_parser --replace /etc/apparmor.d/usr.sbin.sssd
sudo systemctl restart sssd

Please report back how well this works.

Thanks

richard (meusburger) wrote :

Applying the fix above to /etc/apparmor.d/local/usr.sbin.sssd and running the parser replace fixed the sssd startup issue. I confirmed by returning sssd to 'enforce' mode (aa-enforce /usr/sbin/sssd).

The 'apparmor_status' output now shows the /usr/libexec/sssd binaries as well:

apparmor module is loaded.
32 profiles are loaded.
32 profiles are in enforce mode.
   /snap/snapd/10707/usr/lib/snapd/snap-confine
   /snap/snapd/10707/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/chronyd
   /usr/sbin/rsyslogd
   /usr/sbin/sssd
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   ippusbxd
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.lxd
   snap.lxd.activate
   snap.lxd.benchmark
   snap.lxd.buginfo
   snap.lxd.check-kernel
   snap.lxd.daemon
   snap.lxd.hook.configure
   snap.lxd.hook.install
   snap.lxd.hook.remove
   snap.lxd.lxc
   snap.lxd.lxc-to-lxd
   snap.lxd.lxd
   snap.lxd.migrate
0 profiles are in complain mode.
8 processes have profiles defined.
8 processes are in enforce mode.
   /usr/sbin/chronyd (994)
   /usr/sbin/chronyd (998)
   /usr/sbin/rsyslogd (925)
   /usr/sbin/sssd (929)
   /usr/libexec/sssd/sssd_be (1279) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_nss (1480) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_pam (1481) /usr/sbin/sssd
   /usr/libexec/sssd/sssd_ssh (1484) /usr/sbin/sssd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Thanks for the help!

Seth Arnold (seth-arnold) wrote :

Great, thanks Richard!

tags: added: server-next
Changed in sssd (Ubuntu):
assignee: nobody → Sergio Durigan Junior (sergiodj)
Changed in sssd (Ubuntu Focal):
assignee: nobody → Sergio Durigan Junior (sergiodj)
Changed in sssd (Ubuntu Groovy):
assignee: nobody → Sergio Durigan Junior (sergiodj)
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 2.4.0-1ubuntu3

---------------
sssd (2.4.0-1ubuntu3) hirsute; urgency=medium

  * d/apparmor-profile: Update profile. (LP: #1910611)
    - Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*.
    - Add read/execute permission to /usr/libexec/sssd/*.

 -- Sergio Durigan Junior <email address hidden> Mon, 18 Jan 2021 16:57:21 -0500

Changed in sssd (Ubuntu Hirsute):
status: New → Fix Released

Hello richard, or anyone else affected,

Accepted sssd into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/2.3.1-3ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in sssd (Ubuntu Groovy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-groovy
Changed in sssd (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Robie Basak (racb) wrote :

Hello richard, or anyone else affected,

Accepted sssd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu0.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Performing the verification on Focal:

First, confirming that the current sssd manifests the bug:

# apt policy sssd
sssd:
  Installed: 2.2.3-3ubuntu0.2
  Candidate: 2.2.3-3ubuntu0.2
  Version table:
 *** 2.2.3-3ubuntu0.2 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.2.3-3ubuntu0.1 500
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
     2.2.3-3 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
# aa-enforce sssd
Setting /usr/sbin/sssd to enforce mode.
# systemctl restart sssd.service
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
# dmesg | grep DENIED
[ 41.098915] audit: type=1400 audit(1611583202.421:14): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/sssd/conf.d/" pid=1933 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 41.099185] audit: type=1400 audit(1611583202.421:15): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/sssd/cfg_rules.ini" pid=1933 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
...

Now, confirming that the sssd on -proposed fixes the problem:

# apt policy sssd
sssd:
  Installed: 2.2.3-3ubuntu0.3
  Candidate: 2.2.3-3ubuntu0.3
  Version table:
 *** 2.2.3-3ubuntu0.3 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.2.3-3ubuntu0.2 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
     2.2.3-3ubuntu0.1 500
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
     2.2.3-3 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
# systemctl restart sssd
# echo $?
0

This verifies that the Focal sssd package in -proposed fixes the bug.

tags: added: verification-done-focal
removed: verification-needed-focal

Performing the verification on Groovy:

First, confirming that the current sssd manifests the bug:

# apt policy sssd
sssd:
  Installed: 2.3.1-3ubuntu2
  Candidate: 2.3.1-3ubuntu2
  Version table:
 *** 2.3.1-3ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu groovy-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.3.1-3 500
        500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages
# aa-enforce sssd
Setting /usr/sbin/sssd to enforce mode.
# systemctl restart sssd.service
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
# dmesg | grep DENIED
[ 49.513861] audit: type=1400 audit(1611583630.788:14): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/sssd/conf.d/" pid=1876 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 49.514342] audit: type=1400 audit(1611583630.792:15): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/sssd/cfg_rules.ini" pid=1876 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
...

Now, confirming that the sssd on -proposed fixes the problem:

# apt policy sssd
sssd:
  Installed: 2.3.1-3ubuntu3
  Candidate: 2.3.1-3ubuntu3
  Version table:
 *** 2.3.1-3ubuntu3 500
        500 http://archive.ubuntu.com/ubuntu groovy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.3.1-3ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu groovy-updates/main amd64 Packages
     2.3.1-3 500
        500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages
# systemctl restart sssd
# echo $?
0

This verifies that the Groovy sssd package in -proposed fixes the bug.

tags: added: verification-done-groovy
removed: verification-needed verification-needed-groovy
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 2.3.1-3ubuntu3

---------------
sssd (2.3.1-3ubuntu3) groovy; urgency=medium

  * d/apparmor-profile: Update profile. (LP: #1910611)
    - Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*.
    - Add read/execute permission to /usr/libexec/sssd/*.

 -- Sergio Durigan Junior <email address hidden> Mon, 18 Jan 2021 16:56:21 -0500

Changed in sssd (Ubuntu Groovy):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for sssd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 2.2.3-3ubuntu0.3

---------------
sssd (2.2.3-3ubuntu0.3) focal; urgency=medium

  * d/apparmor-profile: Update profile. (LP: #1910611)
    - Extend read permissions to /etc/sssd/** and /etc/gss/**.
    - Add read/execute permission to /usr/libexec/sssd/*.

 -- Sergio Durigan Junior <email address hidden> Mon, 18 Jan 2021 16:30:13 -0500

Changed in sssd (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.