'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker

Bug #1390592 reported by Jamie Strandboge on 2014-11-07
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
High
Unassigned
Trusty
High
Tyler Hicks

Bug Description

I was helping a docker user out in #apparmor on OFTC and I think we found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see below).

Workaround: install the https://launchpad.net/ubuntu/+source/linux-lts-utopic kernel.

$ cat /proc/version_signature
Ubuntu 3.13.0-37.64-generic 3.13.11.7

Steps to reproduce:
1. adjust /etc/apparmor.d/abstractions/base to have:
  ptrace peer=@{profile_name},
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
   $ sudo docker run -i -t ubuntu:trusty bash
   root@5039d725a41d:/# ps
   ...
   root@5039d725a41d:/# exit
   $

Then observe the following denials on the host, which should have been addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default"

Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10 works as expected (note, the policy is different on 14.10 and it already has the rule from step 1). Ubuntu 14.04 with the linux-lts-utopic backport kernel also works (from trusty-proposed: sudo apt-get install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic linux-image-extra-3.16.0-25-generic).

Note, docker is different than most applications in that it embeds its policy inside the docker binary and this binary when launched as a daemon (ie, via the upstart job) will unconditionally write out the policy to /etc/apparmor.d/docker-default. As such, to modify the policy:

0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.d/docker
4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
   $ sudo docker run -i -t ubuntu:trusty bash
   root@5039d725a41d:/# ps
   ...
   root@5039d725a41d:/# exit
   $

(Docker just added a way to specify an alternate existing profile in https://docs.docker.com/reference/run/#security-configuration).

Reference: https://github.com/docker/docker/issues/7276

description: updated
description: updated
description: updated
description: updated
description: updated
tags: added: kernel-da-key trusty
Tyler Hicks (tyhicks) wrote :

I'm fairly certain that this is a parser bug and not a kernel bug. The dfa-states output for the profile "profile XYZ { ptrace peer=@{profile_name}, }" changes between 14.04 and 14.10. Also, I can pull down lp:apparmor and build a parser, on 14.04, that doesn't exhibit the behavior described in this bug report. I'm still trying to narrow down the upstream parser commit(s) that fix this bug.

Changed in apparmor (Ubuntu):
importance: Undecided → High
status: New → Confirmed
tags: added: aa-parser
Jamie Strandboge (jdstrand) wrote :

Per Tyler, this is fixed in r2456. In 14.04, add-decimal-interp.patch should be removed in favor of this patch.

no longer affects: linux (Ubuntu)
Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Changed in apparmor (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
tags: removed: aa-kernel
Tyler Hicks (tyhicks) wrote :

I may need to take another approach instead of replacing add-decimal-interp.patch with upstream commit r2456. While this bug is fixed, the regression test suite hits some new failures. The commit message of upstream commit r2541 explains the problem (and changes the tests):

 Earlier fixes to the parser's handling of escape sequences involving '\'
 caused a behavioral change that profiles no longer needed to contain
 '\\' before an octal escape sequence.

I don't feel like that kind of change is acceptable in an SRU. I'll dig into the r2456 patch some more and see if I can pull out only the binary encoding bug fix.

Changed in apparmor (Ubuntu Trusty):
status: Triaged → In Progress
assignee: nobody → Tyler Hicks (tyhicks)
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2014-1424

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.1

---------------
apparmor (2.8.95~2430-0ubuntu5.1) trusty-security; urgency=medium

  * SECURITY UPDATE: An AppArmor profile compilation bug may result in
    applications being confined in a way that is inconsistent with the profile
    author's intent. The compilation bug is specific to certain combinations
    of AppArmor rule types and conditionals of those rule types.
    (LP: #1390592)
    - debian/patches/fix-esc-seq-interp.patch: Fix the profile compilation bug
      by limiting the number of bytes that are consumed when interpreting
      hexadecimal, octal, and decimal escape sequences
    - debian/patches/tests-allow-arbitrary-profile-names.patch,
      debian/patches/tests-add-ptrace-tests-for-lp1390592.patch: Add
      regression tests for the profile compilation bug
    - CVE-2014-1424
 -- Tyler Hicks <email address hidden> Fri, 14 Nov 2014 13:46:22 -0600

Changed in apparmor (Ubuntu Trusty):
status: In Progress → Fix Released
tags: added: amd64
removed: apparmor
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers