Snappy

update policy for .pyc denial and common java accesses

Bug #1496892 reported by Jamie Strandboge on 2015-09-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Snappy	Fix Released	High	Jamie Strandboge
	ubuntu-core-security (Ubuntu)	Fix Released	High	Jamie Strandboge

Bug Description

Python denials:
Sep 16 14:31:58 localhost kernel: [17643.143918] audit: type=1400 audit(1442413918.208:42): apparmor="DENIED" operation="unlink" profile="xxxx" name="/apps/xxxx/1.0/pyenv/lib/python2.7/site-packages/simplejson/__init__.pyc" pid=1418 comm="python" requested_mask="d" denied_mask="d" fsuid=0 ouid=101

Java denials with easy fixes:
Sep 12 02:52:09 localhost kernel: [ 116.171514] audit: type=1400 audit(1442026329.849:11): apparmor="DENIED" operation="open" profile="xxxx" name="/sys/devices/system/cpu/" pid=774 comm="java" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 12 02:52:09 localhost kernel: [ 116.175142] audit: type=1400 audit(1442026329.853:12): apparmor="DENIED" operation="open" profile="xxxx" name="/proc/774/" pid=774 comm="java" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 12 02:52:10 localhost kernel: [ 116.429485] audit: type=1400 audit(1442026330.110:13): apparmor="DENIED" operation="open" profile="xxxx" name="/proc/772/auxv" pid=772 comm="mongod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 12 02:52:10 localhost kernel: [ 117.293222] audit: type=1400 audit(1442026330.977:14): apparmor="DENIED" operation="open" profile="xxxx" name="/proc/version_signature" pid=772 comm="mongod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 12 02:52:10 localhost kernel: [ 117.293445] audit: type=1400 audit(1442026330.977:15): apparmor="DENIED" operation="open" profile="xxxx" name="/etc/lsb-release" pid=772 comm="mongod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 12 02:52:10 localhost kernel: [ 117.294152] audit: type=1400 audit(1442026330.977:16): apparmor="DENIED" operation="open" profile="xxxx" name="/proc/version" pid=772 comm="mongod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 12 02:52:21 localhost kernel: [ 127.566423] audit: type=1400 audit(1442026341.247:22): apparmor="DENIED" operation="open" profile="xxxx" name="/proc/sys/net/ipv4/ip_local_port_range" pid=774 comm="java" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 12 02:52:11 localhost kernel: [ 117.510684] audit: type=1400 audit(1442026331.189:17): apparmor="DENIED" operation="open" profile="xxxx" name="/sys/devices/pci0000:00/0000:00:01.1/ata1/host0/target0:0:0/0:0:0:0/block/sda/queue/read_ahead_kb" pid=772 comm="mongod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 12 02:52:39 localhost kernel: [ 145.676753] audit: type=1400 audit(1442026359.360:24): apparmor="DENIED" operation="open" profile="xxxx" name="/proc/sys/vm/zone_reclaim_mode" pid=772 comm="mongod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 12 02:52:39 localhost kernel: [ 145.678068] audit: type=1400 audit(1442026359.360:25): apparmor="DENIED" operation="open" profile="xxxx" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=772 comm="mongod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 12 02:52:39 localhost kernel: [ 145.679063] audit: type=1400 audit(1442026359.360:26): apparmor="DENIED" operation="open" profile="xxxx" name="/sys/kernel/mm/transparent_hugepage/defrag" pid=772 comm="mongod" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 12 02:52:40 localhost kernel: [ 146.347661] audit: type=1400 audit(1442026360.028:27): apparmor="DENIED" operation="open" profile="xxxx" name="/etc/writable/timezone" pid=786 comm="java" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Related branches

lp:ubuntu/wily-proposed/ubuntu-core-security

Jamie Strandboge (jdstrand) on 2015-09-17

Changed in snappy:
status:	New → Triaged
Changed in ubuntu-core-security (Ubuntu):
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Jamie Strandboge (jdstrand)

Jamie Strandboge (jdstrand) on 2015-09-18

Changed in ubuntu-core-security (Ubuntu):
status:	Triaged → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-09-21:

Uploaded to wily and the image ppa.

Changed in snappy:
status:	Triaged → Fix Committed
importance:	Undecided → High
assignee:	nobody → Jamie Strandboge (jdstrand)
Changed in ubuntu-core-security (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-09-22:

This bug was fixed in the package ubuntu-core-security - 15.10.13

---------------
ubuntu-core-security (15.10.13) wily; urgency=medium

* update autopkgtests for new policy groups

ubuntu-core-security (15.10.12) wily; urgency=medium

  * add restricted network-admin policy group
  * ubuntu-core/default:
    - allow reading unversioned package dirs in $HOME
    - suppress noisy write denials to .pyc files in the install dir
      (LP: #1496892). This might be able to be removed when LP: 1496895 is
      fixed.
  * ubuntu-core/default: handle miscellaneous java accesses (LP: #1496895)
    - read to @PROC/@{pid}/ and @PROC/@{pid}/fd/
    - owner read to owner @PROC/@{pid}/auxv
    - reads to @PROC/@{pid}/version_signature, @PROC/@{pid}/version,
      /etc/lsb-release
    - read to @PROC/sys/vm/zone_reclaim_mode
    - read to /sys/devices/**/read_ahead_kb and /sys/devices/system/cpu/**
    - read to /sys/kernel/mm/transparent_hugepage/enabled and
      /sys/kernel/mm/transparent_hugepage/defrag
    - explicit deny to @{PROC}/@{pid}/cmdline. This seems to be ok for now,
      but if it breaks things, allow with owner match (an info leak) until we
      have kernel side pid variable in AppArmor
    - allow reads on /etc/{,writable/}localtime and /etc/{,writable/}timezone
  * add restricted snapd policy group
  * add restricted network-firewall policy group
  * add restricted network-status policy group
  * bin/snappy-security: use 'Caps' instead of 'Policy groups' in output
  * ubuntu/network-service: reluctantly allow access to /proc/*/net/if_inet6
    and /proc/*/net/ipv6_route until we can find a better way (LP: #1496906)
  * add test-format.sh to make sure we have properly formatted policy
  * debian/rules: use test-format.sh
  * ubuntu/unconfined: use 'Usage: reserved' not 'restricted' since
    'restricted' is not a valid 'Usage' value

ubuntu-core-security (15.10.11) wily; urgency=medium

* ubuntu-core/default: allow reads on directories in /sys/devices and
/sys/class to ease using hw-assign

-- Jamie Strandboge <email address hidden> Mon, 21 Sep 2015 17:23:42 -0500

This bug was fixed in the package ubuntu-core-security - 15.10.13

---------------
ubuntu-core-security (15.10.13) wily; urgency=medium

* update autopkgtests for new policy groups

ubuntu-core-security (15.10.12) wily; urgency=medium

ubuntu-core-security (15.10.11) wily; urgency=medium

* ubuntu-core/default: allow reads on directories in /sys/devices and
    /sys/class to ease using hw-assign

-- Jamie Strandboge <jamie@ubuntu.com>  Mon, 21 Sep 2015 17:23:42 -0500

Changed in ubuntu-core-security (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-10-23:

This was fixed in recent stable versions.

Changed in snappy:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.