[FFe] apparmor signal and ptrace mediation

Bug #1298611 reported by Jamie Strandboge on 2014-03-27
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
High
Tyler Hicks
apparmor-easyprof-ubuntu (Ubuntu)
Medium
Jamie Strandboge
libvirt (Ubuntu)
High
Jamie Strandboge
lightdm (Ubuntu)
High
Tyler Hicks
linux (Ubuntu)
High
John Johansen
lxc (Ubuntu)
High
Jamie Strandboge

Bug Description

Background: kernel and apparmor userspace updates to support signal and ptrace mediation. These packages are listed in one bug because they are related, but the FFes may be granted and the uploads may happen at different times.

= linux =
Summary:
This feature freeze exception is requested for signal and ptrace mediation via apparmor in the kernel. When used with a compatible apparmor userspace, signals and ptrace rules are supported. When used without a compatible apparmor userspace (eg, on a precise system with a trusty backport kernel), signal and ptrace mediation is not enforced (ie, you can use this kernel with an old userspace without any issues).

The fine grained mediation of signals and ptraces also incorporates improved
versioning support that allows this kernel to better support older and newer
userspaces. This allows for this version of the kernel to work as a backport
kernel unmodified (currently a patch and config are used to provide backport
kernels).

The kernel patch is available at git://kernel.ubuntu.com/jj/ubuntu-trusty.git
in the trusty-alpha6 branch apparmor-alpha6-sync

Testing:
* 12.04 system with backported kernel: DONE
 * test-apparmor.py: PASS (runs extensive tests (upstream and distro))
 * exploratory manual testing: PASS (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
 * aa-status: PASS
 * lxc: PASS (containers can be created, started, shutdown)
 * libvirt: PASS (VMs started via openstack, and test-libvirt.py from QRT passes all tests)
* 14.04 system (non-Touch) with current apparmor userspace: DONE (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor)
 * test-apparmor.py: PASS (runs extensive tests (upstream and distro))
 * exploratory manual testing: PASS (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
 * aa-status: PASS
 * lxc: PASS (containers can be created, started, shutdown)
 * libvirt: PASS (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor))
 * click-apparmor QRT touch image tests: PASS
 * apparmor-easyprof-ubuntu QRT touch image tests: PASS
* 14.04 system (non-Touch) with updated apparmor userspace capable of supporting signal and ptrace mediation: DONE (relevant parts of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor. Note: this is marked 'done' from the kernel perspective-- the apparmor userspace upload is being prepared and tests assume userspace is using latest patches on the list)
 * test-apparmor.py: PASS (runs extensive tests (upstream and distro))
 * exploratory manual testing: PASS (networking, aa-enforce with firefox, firefox works, apparmor blocks access, etc)
 * aa-status: PASS
 * lxc: PASS (containers can be created, started, shutdown)
 * libvirt: PASS (QRT/script/test-libvirt.py (though there are 3 failures unrelated to apparmor))
 * click-apparmor QRT touch image tests: PASS
 * apparmor-easyprof-ubuntu QRT touch image tests: PASS

Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a significant security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.

= apparmor userspace =
Summary:
This feature freeze exception is requested for signal and ptrace mediation for apparmor userspace. When used with a compatible kernel, signals and ptrace rules are supported. When used without a compatible kernel (eg, on Ubuntu Touch for a few weeks or with upstream kernels), signal and ptrace rules are skipped (ie, you can use this userspace with other kernels without issue).

Testing:
* 14.04 system with current kernel (Touch, kernel doesn't have signal and ptrace mediation yet):
 * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: PASS (includes click-apparmor, apparmor-easyprof-ubuntu, exploratory manual testing, etc)
* 14.04 system with previous kernel lacking signal and ptrace mediation (non-Touch):
 * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: PASS (exploratory manual testing, lxc, libvirt (3 failures unrelated to apparmor), etc)
 * test-apparmor.py: PASS
 * lightdm guest session: PASS (login, start browser, logout)
* 14.04 system kernel capable of supporting signal and ptrace mediation (non-Touch):
 * https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor: PASS (includes test-apparmor.py, exploratory manual testing, lxc, libvirt (3 failures unrelated to apparmor), etc)
 * Verify everything in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles: PASS (except juju since it doesn't have policy itself)
 * lightdm guest session: PASS (login, start browser, logout)

Justification:
This feature is required to support comprehensive application confinement on Ubuntu Touch. This feature adds a significant security benefit to libvirt's qemu guest isolation which is fundamental to Ubuntu on Server/Cloud. This feature also adds a welcome improvement to administrators wishing to further protect their systems.

Extra information:
While the apparmor userspace and kernel changes to support signal and ptrace mediation can happen at different times, the apparmor userspace upload must correspond with uploads for packages that ship AppArmor policy that require updates (eg, libvirt, lxc, etc). The packages outlined in https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles have been tested to either work without modification to the policy or updated and tested to work with updated policy. Common rules will be added to the apparmor base abstraction such that most packages shipping apparmor policy will not require updating. These updates will be prepared, tested and published en masse via a silo ppa.

Common rules added to the base abstraction are (ie, these rules will be included in all policy on Ubuntu since the base abstractions is always used in distro policy):
  # Allow other processes to read our /proc entries, futexes, perf tracing and
  # kcmp for now
  ptrace (readby),

  # Allow other processes to trace us by default (they will need 'trace' in
  # the first place). Administrators can override with:
  # deny ptrace (tracedby) ...
  ptrace (tracedby),

  # Allow unconfined processes to send us signals by default
  signal (receive) peer=unconfined,

  # Allow us to signal ourselves
  signal peer=@{profile_name},

  # Checking for PID existence is quite common so add it by default for now
  signal (receive, send) set=("exists"),

Related branches

description: updated
description: updated
description: updated
tags: added: bot-stop-nagging

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1298611

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
description: updated
Changed in linux (Ubuntu):
status: Incomplete → New
description: updated
Brad Figg (brad-figg) on 2014-03-27
Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu):
status: Incomplete → New
Brad Figg (brad-figg) on 2014-03-28
Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: kernel-bot-stop-nagging
removed: bot-stop-nagging
Changed in linux (Ubuntu):
status: Incomplete → New
Brad Figg (brad-figg) on 2014-03-28
Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
description: updated
description: updated
Jamie Strandboge (jdstrand) wrote :

Adding libvirt task for if the apparmor and linux tasks are accepted. Debdiff should be applied at same time as apparmor upload.

description: updated
Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in linux (Ubuntu):
importance: Undecided → High
Changed in apparmor (Ubuntu):
importance: Undecided → High
Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in libvirt (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
description: updated
description: updated
description: updated
description: updated
Tim Gardner (timg-tpi) on 2014-03-31
Changed in linux (Ubuntu):
status: Confirmed → Fix Committed
Adam Conrad (adconrad) wrote :

Approving the kernel side of this. Please re-test against the -21 kernel when it spits out of the buildds.

Jamie Strandboge (jdstrand) wrote :

Adam, thanks for the review and we will test that kernel. FYI, if by some chance the userspace bits aren't granted the FFe, the kernel bits are safe to keep in trusty.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-21.43

---------------
linux (3.13.0-21.43) trusty; urgency=low

  [ Andy Whitcroft ]

  * SAUCE: kvm: BIOS disabled kvm support should be a warning
    - LP: #1300247
  * SAUCE: nouveau: missing outputs should be warnings
    - LP: #1300244

  [ John Johansen ]

  * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
  * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
  * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
    policy"
  * Revert "SAUCE: apparmor: allocate path lookup buffers during init"
  * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
    connection"
  * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
  * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
    - LP: #1298611

  [ Tetsuo Handa ]

  * SAUCE: kthread: Do not leave kthread_create() immediately upon SIGKILL.

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1300412
  * [Config] updateconfigs after AA patch set
  * [Config] CONFIG_ZSWAP=n, CONFIG_ZBUD=n for all arches
  * [Config] CONFIG_XILINX_LL_TEMAC=m for powerpc
  * [Config] CONFIG_WQ_POWER_EFFICIENT_DEFAULT=y for ppc64el
  * [Config] CONFIG_WLAN=y for arm64
  * [Config] CONFIG_VORTEX=m for ppc64el
  * [Config] CONFIG_WIMAX=m for ppc64el
  * [Config] CONFIG_WATCHDOG=y for ppc64el
  * [Config] CONFIG_VME_BUS=m for ppc64el
  * [Config] CONFIG_VIRT_DRIVERS=y for ppc64el
  * [Config] CONFIG_VIDEO_OUTPUT_CONTROL=m for ppc64el
  * [Config] CONFIG_VERSION_SIGNATURE="" for powerpc64-emb
  * [Config] CONFIG_UWB=m for ppc64el

  [ Upstream Kernel Changes ]

  * vhost: validate vhost_get_vq_desc return value
    - CVE-2014-0055
  * net: use kfree_skb_list() helper
  * skbuff: skb_segment: s/frag/nskb_frag/
  * skbuff: skb_segment: s/skb_frag/frag/
  * skbuff: skb_segment: s/skb/head_skb/
  * skbuff: skb_segment: s/fskb/list_skb/
  * skbuff: skb_segment: orphan frags before copying
    - CVE-2014-0131

  [ Upstream Kernel Changes ]

  * rebase to v3.13.8
 -- Tim Gardner <email address hidden> Mon, 31 Mar 2014 12:38:11 -0600

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Tyler Hicks (tyhicks) wrote :

I've added tasks for lightdm and lxc. The lightdm guest session abstraction needs to be updated for signal and ptrace mediation and I'm currently working on that. In previous IRC discussions, stgraber mentioned that he had a handle on what was needed for the lxc policy so I've assigned him but I can obviously help out as needed.

Changed in lightdm (Ubuntu):
status: New → In Progress
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → High
Changed in apparmor (Ubuntu):
status: Confirmed → In Progress
Changed in lxc (Ubuntu):
assignee: nobody → Stéphane Graber (stgraber)
importance: Undecided → High
Jamie Strandboge (jdstrand) wrote :

Stéphane, all that is needed is to add the following to abstractions/lxc/container-base and abstractions/lxc/start-container:
  signal,
  ptrace,

Obviously, confinement could be more interesting, but like with dbus we should err on the side of caution and just let these through. Adding this rules gives us equivalent confinement to lxc on 13.10.

Jamie Strandboge (jdstrand) wrote :

Note: I only did rudimentary testing: create, ls, start, shutdown, destroy.

Jamie Strandboge (jdstrand) wrote :

Here is a debdiff for lxc. It is tested on trusty. To ease backporting, I updated debian/rules for strip out the signal and ptrace rules for Ubuntu releases earlier than 14.04 (using the same method as for stripping out dbus for earlier than 13.10), but could not test earlier releases because libcgmanager-dev does not exist on them.

Before upgrading lxc, there were many ptrace and signal denials when using containers. After upgrading, creating, starting, using, stopping, destroying all works fine with no denials.

Changed in lxc (Ubuntu):
status: New → In Progress
assignee: Stéphane Graber (stgraber) → Jamie Strandboge (jdstrand)
Changed in libvirt (Ubuntu):
status: Triaged → In Progress
description: updated
description: updated
Stéphane Graber (stgraber) wrote :

The LXC change looks good, it's in line with what I was planning to push upstream. Feel free to upload that directly to the archive and I'll do a similar upstream change right around the same time so our PPA users don't break, then shortly after that will tag 1.0.3 and get that into trusty so we can drop the patch.

description: updated
description: updated
Jamie Strandboge (jdstrand) wrote :

The apparmor-easyprof-ubuntu change is not strictly needed in this upload since it is primarily used for Touch and the Touch kernels don't yet have the updated patchset. However, it could affect people testing click packages on the desktop and it is a change we need to make anyway.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
status: New → In Progress
description: updated
description: updated
Tyler Hicks (tyhicks) wrote :

Here's the lightdm debdiff to allow the guest session to start with AppArmor signal and ptrace mediation. It is tested on Trusty amd64.

Tyler Hicks (tyhicks) wrote :

Here's an updated libvirt debdiff. I rebase Jamie's debdiff on top of the libvirt that was uploaded to the archive yesterday.

Tyler Hicks (tyhicks) wrote :

Here's the apparmor debdiff. The testing performed in described in the bug description. Let me know if there are any questions.

Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Committed
Changed in libvirt (Ubuntu):
status: In Progress → Fix Committed
Changed in lightdm (Ubuntu):
status: In Progress → Fix Committed
Changed in lxc (Ubuntu):
status: In Progress → Fix Committed
description: updated
Jamie Strandboge (jdstrand) wrote :

FYI, retested all the packages in the PPA on desktop/server for TestPlan with and without the kernel that supports signal/ptrace mediation and everything passes (barring expected test-libvirt.py errors unrelated to apparmor).

Steve Langasek (vorlon) on 2014-04-04
Changed in apparmor (Ubuntu):
status: Fix Committed → New
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Fix Committed → New
Changed in libvirt (Ubuntu):
status: Fix Committed → New
Changed in lightdm (Ubuntu):
status: Fix Committed → New
Changed in lxc (Ubuntu):
status: Fix Committed → New
Steve Langasek (vorlon) wrote :

The debdiff attached for apparmor looks good, aside from missing some Breaks: on the old versions of the packages that need to go in at the same time (because their policies will cease to be sufficient once ptrace/signal mediation support lands). Jamie has pushed the added Breaks; once they're available, I'm ok with this going in.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.9.14-0ubuntu2

---------------
lightdm (1.9.14-0ubuntu2) trusty; urgency=medium

  * debian/patches/06_guest_signal_and_ptrace_aa_rules.patch: Grant
    permission for guest session processes to signal and ptrace each
    other (LP: #1298611)
  * debian/patches/07_guest_proc_pid_stat_aa_rule.patch: Grant permission for
    guest session processes to read /proc/<PID>/stat. This prevents AppArmor
    denial messages caused by bamfdaemon and common utilities such as ps and
    killall. (LP: #1301625)
 -- Tyler Hicks <email address hidden> Thu, 03 Apr 2014 02:48:51 -0500

Changed in lightdm (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.2-0ubuntu9

---------------
libvirt (1.2.2-0ubuntu9) trusty; urgency=medium

  [ Jamie Strandboge ]
  * updates for AppArmor signals and ptrace mediation (LP: #1298611)
    - debian/apparmor/libvirt-qemu: allow guests to receive signals from and
      be tracedby libvirtd (additional signal and ptrace rules come from the
      AppArmor base abstraction)
    - debian/apparmor/usr.sbin.libvirtd:
      + grant bare signal and ptrace rule
      + grant dbus on the system bus (should have been added in 13.10)
 -- Tyler Hicks <email address hidden> Thu, 03 Apr 2014 02:09:53 -0500

Changed in libvirt (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.0.2-0ubuntu2

---------------
lxc (1.0.2-0ubuntu2) trusty; urgency=medium

  * updates for AppArmor signal and ptrace mediation (LP: #1298611)
    - debian/patches/apparmor-signal-ptrace.patch: add signal and ptrace rules
      to abstractions/container-base and abstractions/start-container
    - debian/rules: remove signal and ptrace rules for Ubuntu releases earlier
      than 14.04 LTS
 -- Jamie Strandboge <email address hidden> Thu, 03 Apr 2014 07:06:56 -0500

Changed in lxc (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (3.3 KiB)

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5

---------------
apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium

  * debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin,
    lightdm and apparmor-easyprof-ubuntu

apparmor (2.8.95~2430-0ubuntu4) trusty; urgency=medium

  [ John Johansen, Steve Beattie ]
  * Add userspace support for AppArmor signals and ptrace mediation
    (LP: #1298611)
    + debian/patches/mediate-signals.patch,
      debian/patches/change-signal-syntax.patch: Parse signal rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/change-ptrace-syntax.patch,
      debian/patches/mediate-ptrace.patch: Parse ptrace rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/test-signal-rules.patch,
      debian/patches/test-ptrace-rules.patch,
      debian/patches/update-tests-for-new-semantics.patch: Update existing
      tests and add new tests for signal and ptrace mediation
    + debian/patches/fix-garbage-in-preprocessor-output.patch: Fix bug causing
      apparmor_parser preprocessor output to contain garbage after include
      statements
    + debian/patches/fix-double-comma-in-preprocessor-output.patch: Fix bug
      causing apparmor_parser preprocessor output to contain double commas
      after some rules
    + debian/patches/symtab-tests-and-seenlist-bug.patch,
      debian/patches/add-profile-name-variable.patch: Add ${profile_name}
      variable for use in profiles when rules need to specify the current
      profile's name. This is useful for signal and ptrace rules that specify
    + debian/patches/fix-names-treated-as-condlistid.patch: Fix
      apparmor_parser bug that caused mount and dbus rules to fail for sets of
      values

  [ Jamie Strandboge ]
  * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch:
    Adjust the base abstraction for signals and ptrace mediation. Profiles
    that use the base abstraction can deny any of the granted permissions to
    achieve tighter confinement.
  * debian/patches/manpage-signal-ptrace.patch: Update the apparmor.d man
    page to document signal rules, ptrace rules, and variables for use in
    AppArmor profiles
  * debian/patches/dnsmasq-libvirtd-signal-ptrace.patch: Update the dnsmasq
    profile to allow libvirtd to send signals to and ptrace read the dnsmasq
    process
  * debian/patches/update-chromium-browser.patch: Adjust the chromium-browser
    profile for permissions needed in newer chromium-browser versions and add
    the rules needed for AppArmor ptrace mediation

  [ Tyler Hicks ]
  * Add new rule type support to aa.py to fix tracebacks when using the Python
    utilities in apparmor-utils on systems with AppArmor profiles containing
    previously unsupported rule types
    - debian/patches/python-utils-file-support.patch: Support path rules
      containing the "file" prefix (LP: #1295346)
    - debian/patches/python-utils-signal-support.patch: Parse and write signal
      rules (LP: #1300316)
    - debian/patches/python-utils-ptrace-support.patch: Parse and write ptrace
      rules (LP: #1300317)...

Read more...

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.1.14

---------------
apparmor-easyprof-ubuntu (1.1.14) trusty; urgency=medium

  * 1.1/webview: update for ptrace and signal mediation (LP: #1298611)
  * debian/control: Depends on apparmor >= 2.8.95~2430-0ubuntu4
 -- Jamie Strandboge <email address hidden> Thu, 03 Apr 2014 15:19:23 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Fix Released
Ken Sharp (kennybobs) wrote :

Did these changes end up in Precise? I see no sensible way to tell AppArmor to allow a ptrace. The parser is totally confused by this.

Seth Arnold (seth-arnold) wrote :

Ken,

The ptrace mediation in 12.04 LTS is very rudimentary; if you add capability sys_ptrace, to a profile then processes running in that profile are allowed to trace any process the discretionary access controls allow. The fine-grained permissions introduced in 14.04 LTS require both the new kernel and userspace.

I tested that the apparmor 2.7.102-0ubuntu3.10 package with the linux-generic-lts-trusty 3.13.0.49.43 package will allow ptrace using the capability sys_ptrace, permission via a strace profile:

# cat usr.bin.strace
# Last Modified: Sat Apr 11 03:38:35 2015
#include <tunables/global>

/usr/bin/strace {
  #include <abstractions/base>

  capability sys_ptrace,

  /bin/ls rix,
  /home/*/ r,
  /proc/filesystems r,
  /usr/bin/strace mr,

}

I tested both strace /bin/ls and strace -p 1.

Thanks

Ken Sharp (kennybobs) wrote :

Thanks for clearing that up, Seth!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers