'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Tyler Hicks |
Bug Description
I was helping a docker user out in #apparmor on OFTC and I think we found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see below).
Workaround: install the https:/
$ cat /proc/version_
Ubuntu 3.13.0-
Steps to reproduce:
1. adjust /etc/apparmor.
ptrace peer=@{
2. sudo apt-get install docker.io
3. sudo docker pull ubuntu:trusty
4. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@
...
root@
$
Then observe the following denials on the host, which should have been addressed in the rule added in step 1:
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(141538942
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(141538942
Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(141538942
Using 'ptrace peer=docker-
Note, docker is different than most applications in that it embeds its policy inside the docker binary and this binary when launched as a daemon (ie, via the upstart job) will unconditionally write out the policy to /etc/apparmor.
0. install docker.io and pull a trusty image # only has to be done once
1. update /etc/apparmor.
2. sudo stop docker.io # 'docker' on 14.10
3. sudo apparmor_parser -R /etc/apparmor.
4. sudo rm -f /etc/apparmor.
5. sudo start docker.io # 'docker' on 14.10
6. Run 'ps' inside docker:
$ sudo docker run -i -t ubuntu:trusty bash
root@
...
root@
$
(Docker just added a way to specify an alternate existing profile in https:/
Reference: https:/
CVE References
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | added: kernel-da-key trusty |
tags: |
added: amd64 removed: apparmor |
I'm fairly certain that this is a parser bug and not a kernel bug. The dfa-states output for the profile "profile XYZ { ptrace peer=@{ profile_ name}, }" changes between 14.04 and 14.10. Also, I can pull down lp:apparmor and build a parser, on 14.04, that doesn't exhibit the behavior described in this bug report. I'm still trying to narrow down the upstream parser commit(s) that fix this bug.