AppArmor

Profile Entry for operation="change_onexec"

Bug #1997374 reported by Shaheena Kazi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned

Bug Description

Hello,

I have created a profile for containers on my Debian environment.
I am getting the below denial in /var/log/syslog

Nov 22 09:43:28 microk8s-32 kernel: audit: type=1400 audit(1669110208.700:1696): apparmor="DENIED" operation="change_onexec" profile="/usr/bin/containerd" name="docker-default" pid=10247 comm="runc:[2:INIT]" target="docker-default"

I just wanted to know what should be entry that needs to be added in the profile="/usr/bin/containerd" to get fix this denial.

- Shaheena K

Revision history for this message
John Johansen (jjohansen) wrote :

You will need two rules, a change_profile rule and a follow on exec rule. Unfortunately the full information needed is not available at this point. So you can do

  change_profile /** -> docker_default,

which will allow change_onexec from an executable, that is the /** part, to the docker-default profile.

The change_profile will not happen immediately but will be delayed until the exec and rechecked at that time, to make sure it is still allowed and the change_profile is being applied to the correct binary, in this case any exec will work.

You can tighten up the rule by changing the /** to the executable used in the following exec.

Revision history for this message
Shaheena Kazi (shaheenakazi) wrote :

Thanks John..
Nov 24 06:55:07 microk8s-32 kernel: audit: type=1400 audit(1669272907.172:2712): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/containerd" name="/usr/bin/bash" pid=22212 comm="runc:[2:INIT]" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="docker-default"

I am again stuck on this..
I referred the man page.
Could you help me here.. what permission shall I add for this denial ?

Shaheena Kazi (shaheenakazi)
Changed in apparmor:
assignee: nobody → John Johansen (jjohansen)
Revision history for this message
Shaheena Kazi (shaheenakazi) wrote :

Any update here..

Changed in apparmor:
assignee: John Johansen (jjohansen) → nobody
Revision history for this message
Christian Boltz (cboltz) wrote :

Your comment #2 means the containerd profile needs an exec rule for executing bash. This can be either a simple inherit (so that bash runs with the containerd profile) or a child profile (which means running bash under a separate profile, which can be more restrictive than the main profile, but also makes things more complex).

For inherit, just add

    /usr/bin/bash ix,

For the child profile, add

    /usr/bin/bash Cx -> bash

    profile bash (complain) {
      include <abstractions/base>
    }

Note that the bash child profile is incomplete and will most likely need additional permissions. That's why I added "(complain)" which switches this child profile to complain/learning mode which allows everything and logs denials. You can use aa-logprof to update it. Remove the "(complain)" afterwards and reload the profile to switch it to enforce mode.

Revision history for this message
Shaheena Kazi (shaheenakazi) wrote :
Download full text (4.5 KiB)

I am trying to use this command - sudo docker run -it --security-opt=no-new-privileges:true ubuntu bash
Also, I have tried sudo docker run -it ubuntu bash

(I am using Debian 11 and Kernel - 5.10.113)

And I am getting this denial - Dec 6 06:07:03 microk8s-19 kernel: audit: type=1400 audit(1670306823.891:1173): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="/usr/bin/containerd" name="/usr/bin/bash" pid=12032 comm="runc:[2:INIT]" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="docker-default"

Also, there is nothing like - /usr/bin/bash that I have ever heard of so this looks quite strange to me.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This is what my container profile looks like:
# Last Modified: Tue Dec 6 05:54:42 2022
#include <tunables/global>

/usr/bin/containerd flags=(attach_disconnected, complain, mediate_deleted) {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/totem>

  capability dac_override,
  capability dac_read_search,
  capability mknod,
  capability net_admin,
  capability setgid,
  capability setpcap,
  capability setuid,
  capability sys_admin,
  capability sys_resource,

  mount options=(rw, bind) -> /run/docker/runtime-runc/**,
  mount options=(ro, remount, bind) -> /run/docker/runtime-runc/**,
  mount options=(rw, bind) -> /usr/bin/runc,
  mount options=(rw, rslave) -> /,
  mount options=(rw, rbind) -> /opt/docker/lib/**,
  mount options=(rw, nosuid, nodev, noexec) -> /opt/docker/lib/**,
  mount options=(rw, nosuid, strictatime) -> /opt/docker/lib/**,
  mount options=(rw, nosuid, noexec) -> /opt/docker/lib/**,
  mount options=(ro, nosuid, nodev, noexec) -> /opt/docker/lib/**,
  mount options=(ro, nosuid, nodev, noexec, remount, rbind) -> /opt/docker/lib/**,
  mount options=(rw, rprivate) -> /opt/docker/lib/**,
  mount options=(rw, bind) -> /dev/**,
  mount options=(rw, rbind) -> /proc/**,
  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/**,
  mount options=(ro) -> /proc/**,
  mount options=(rw, rbind) -> /dev/**,
  mount fstype=ext4,
  mount fstype=overlay,
  mount fstype=tmpfs,
  mount fstype=devpts,
  mount fstype=sysfs,
  mount options=(rw,bind) /[^spd]*{,/**},
  mount options=(rw,bind) /d[^e]*{,/**},
  mount options=(rw,bind) /de[^v]*{,/**},
  mount options=(rw,bind) /dev/.[^l]*{,/**},
  mount options=(rw,bind) /dev/.l[^x]*{,/**},
  mount options=(rw,bind) /dev/.lx[^c]*{,/**},
  mount options=(rw,bind) /dev/.lxc?*{,/**},
  mount options=(rw,bind) /dev/[^.]*{,/**},
  mount options=(rw,bind) /dev?*{,/**},
  mount options=(rw,bind) /p[^r]*{,/**},
  mount options=(rw,bind) /pr[^o]*{,/**},
  mount options=(rw,bind) /pro[^c]*{,/**},
  mount options=(rw,bind) /proc?*{,/**},
  mount options=(rw,bind) /s[^y]*{,/**},
  mount options=(rw,bind) /sy[^s]*{,/**},
  mount options=(rw,bind) /sys?*{,/**},
  umount options=(ro),
  umount options=(rw, bind),
  umount options=(rw, rprivate),
  umount options=(ro, nosuid, nodev, noexec, remount, rbind),
  umount options=(ro, nosuid, nodev, noexec),
  umount options=(rw, nosuid, noexec),
  umount options=(rw, nosuid, strictatime),
  umount o...

Read more...

Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: [Bug 1997374] Re: Profile Entry for operation="change_onexec"

On Tue, Dec 06, 2022 at 07:12:13AM -0000, Shaheena Kazi wrote:
> I am trying to use this command - sudo docker run -it --security-opt=no-new-privileges:true ubuntu bash
> Also, I have tried sudo docker run -it ubuntu bash
>
> (I am using Debian 11 and Kernel - 5.10.113)
>
> And I am getting this denial - Dec 6 06:07:03 microk8s-19 kernel:
> audit: type=1400 audit(1670306823.891:1173): apparmor="ALLOWED"
> operation="exec" info="no new privs" error=-1

The no-new-privileges may be blocking the domain transition. Try without
that?

Thanks

Revision history for this message
Shaheena Kazi (shaheenakazi) wrote :

I have also tried without no-new-privileges
-- I am getting the same denial

Revision history for this message
Shaheena Kazi (shaheenakazi) wrote :

Any update here ?

Revision history for this message
Shaheena Kazi (shaheenakazi) wrote :

Is there a solution here ?

Revision history for this message
Inshal Khan (lunaticsugarboo) wrote :

Try changing the AppArmor profie under /etc/apparmor.d/usr.bin.containerd, Add a rule to allow the "change_onexec" operation for the "docker-default" profile.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.