AppArmor

odd denial when using recent docker + runc with apparmor (memfd)

Bug #1820344 reported by Ian Johnson on 2019-03-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Confirmed	Undecided	Unassigned

Bug Description

I see this denial when building a new version of the docker snap (v18.09.03) that contains new code for mitigation of CVE-2019-5736.

To reproduce this you can build a version of the docker snap using my branch here: https://code.launchpad.net/~docker/+git/snap/+ref/feature/18.09-update

Build the snap using snapcraft then remove any other instances of the docker snap (and also of the docker deb as they conflict with each other) and then connect all the interfaces:

snap connect docker:support
snap connect docker:home
snap connect docker:privileged
snap connect docker:firewall-control
snap connect docker:docker-cli docker:docker-daemon

Finally, start the dockerd daemon:

snap start --enable docker.dockerd

Now trying to run any docker container will fail:

$ docker run -it ubuntu bash
docker: Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "process_linux.go:297: getting the final child's pid from pipe caused \"read init-p: connection reset by peer\"": unknown.

And you will see this odd denial in the logs:

Mar 15 14:38:19 audit[7876]: AVC apparmor="DENIED" operation="exec" profile="snap.docker.dockerd" name="/" pid=7876 comm="exe" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

the denial goes away if you add

/ ix,

to the apparmor policy however.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-03-15: Re: odd denial when using recent docker + runc with apparmor (sealed memfd)

Note, we added a workaround rule to snapd and it is not blocked at this time.

summary:	- odd denial when using recent docker + runc with apparmor + odd denial when using recent docker + runc with apparmor (sealed memfd)
Changed in apparmor:
status:	New → Confirmed

Jamie Strandboge (jdstrand) on 2019-03-15

summary:

- odd denial when using recent docker + runc with apparmor (sealed memfd)
+ odd denial when using recent docker + runc with apparmor (memfd)

Revision history for this message

Tianon Gravi (tianon) wrote on 2019-07-10:

I'd like to add that in updating the Snap to 18.09.7, this has changed slightly thanks to https://github.com/opencontainers/runc/pull/1984 such that the denial is now on "/bin/runc" instead of "/", which is slightly better I suppose (there will likely be a snapd PR shortly to update/increase the snapd workaround to compensate).

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-07-11:

@Tianon - FYI, snapd is being adjusted for this: https://github.com/snapcore/snapd/pull/7090

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.