Cannot permit some operations for sssd

Bug #1525119 reported by Aki Tuomi on 2015-12-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Christian Boltz
2.10
Undecided
Christian Boltz
2.9
Undecided
Christian Boltz
apparmor (Ubuntu)
Low
Tyler Hicks

Bug Description

I am trying to write apparmor profile to match my sssd usage, unfortunately it seems I cannot tell sssd to permit things it needs.

apparmor version 2.8.95~2430-0ubuntu5.3

Description: Ubuntu 14.04.3 LTS
Release: 14.04

The complaints in log:
Dec 11 10:24:07 gw-dc01 kernel: [2214272.643384] type=1400 audit(1449822247.281:21249): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/sssd" pid=7104 comm="apparmor_parser"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912195] type=1400 audit(1449822247.549:21250): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" pid=7112 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-45"
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912773] type=1400 audit(1449822247.549:21252): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/krb5_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912871] type=1400 audit(1449822247.549:21253): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912878] type=1400 audit(1449822247.549:21254): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/etc/ld.so.cache" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912898] type=1400 audit(1449822247.549:21255): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912909] type=1400 audit(1449822247.549:21256): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912915] type=1400 audit(1449822247.549:21257): apparmor="ALLOWED" operation="file_mmap" profile="/usr/sbin/sssd//null-45" name="/usr/lib/liblwres.so.90.0.7" pid=7112 comm="nsupdate" requested_mask="mr" denied_mask="mr" fsuid=0 ouid=0
Dec 11 10:24:07 gw-dc01 kernel: [2214272.912948] type=1400 audit(1449822247.549:21258): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-45" name="/usr/lib/libdns.so.100.2.2" pid=7112 comm="nsupdate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Current profile:
#include <tunables/global>

/usr/sbin/sssd {
  #include <abstractions/base>
  #include <abstractions/kerberosclient>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  capability dac_override,
  capability dac_read_search,
  capability setgid,
  capability setuid,
  capability sys_nice,

  @{PROC} r,
  @{PROC}/[0-9]*/status r,

  /etc/krb5.keytab k,
  /etc/ldap/ldap.conf r,
  /etc/localtime r,
  /etc/shells r,
  /etc/sssd/sssd.conf r,

  /usr/sbin/sssd rmix,
  /usr/lib/@{multiarch}/ldb/modules/ldb/* m,
  /usr/lib/@{multiarch}/sssd/* rix,

  /tmp/{,.}krb5cc_* rwk,

  /var/lib/sss/* rw,
  /var/lib/sss/db/* rwk,
  /var/lib/sss/pipes/* rw,
  /var/lib/sss/pipes/private/* rw,
  /var/lib/sss/pubconf/* rw,
  /var/log/sssd/* rw,
  /var/tmp/host_* rw,

  /{,var/}run/sssd.pid rw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.sssd>
}
# Site-specific additions and overrides for usr.sbin.sssd.
# For more details, please see /etc/apparmor.d/local/README.

capability sys_admin,
capability sys_resource,

network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,

@{PROC}/[0-9]*/net/psched r,

/etc/ld.so.cache r,
/etc/libnl-3/classid r,

/usr/sbin/sssd rmix,
/usr/sbin/sssd/** rmix,
/var/log/sssd/** lkrw,
/var/lib/sss/** lkrw,
/usr/lib/libdns.so.100.2.2 m,
/usr/lib/liblwres.so.90.0.7 m,
/usr/lib/x86_64-linux-gnu/krb5/plugins/authdata/* m,
/usr/lib/x86_64-linux-gnu/samba/ldb/* m,
/var/lib/sss/** lkrw,

Also, running aa-genprof et al crashes:

Reading log entries from /var/log/syslog.
Traceback (most recent call last):
  File "/usr/sbin/aa-genprof", line 155, in <module>
    lp_ret = apparmor.do_logprof_pass(logmark, passno)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2280, in do_logprof_pass
    log = log_reader.read_log(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 353, in read_log
    self.add_event_to_tree(event)
  File "/usr/lib/python3/dist-packages/apparmor/logparser.py", line 261, in add_event_to_tree
    raise AppArmorException(_('Log contains unknown mode %s') % rmask)
apparmor.common.AppArmorException: 'Log contains unknown mode '

Christian Boltz (cboltz) wrote :

Which AppArmor version are you using? (We had some fixes around the "unknown mode", however your error message indicates that rmask could be empty, which would be something new.)

For the crash, please try to find out which log line causes this, and paste or attach it. (Hint: split the log into 2 files, check which one causes the crash, split that again, ...)

Bonus points if you checkout the latest AppArmor from bzr and test if it also crashes (cd $checkout_dir/utils && python3 aa-logprof). If it also crashes, please also attach the bugreport file it creates.

Aki Tuomi (cmouse-desteem) wrote :

The version is, as provided in the initial message,

apparmor version 2.8.95~2430-0ubuntu5.3

Dec 11 10:24:07 gw-dc01 kernel: [2214272.912766] type=1400 audit(1449822247.549:21251): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/sssd//null-45" name="/var/log/sssd/ldap_child.log" pid=7112 comm="nsupdate" requested_mask="" denied_mask="" fsuid=0 ouid=0

I was able to make this all work by creating profile for /usr/bin/nsupdate and adding rule /usr/bin/nsupdate rmpx

I'll try to see if testing latest AppArmor is doable.

Christian Boltz (cboltz) wrote :

Sorry, I overlooked the version in the initial report.

Thanks for the log line!
The empty denied_mask is a) strange and b) basically what I expected based on the error message.

I can reproduce the crash with the latest code and all maintained branches, so you don't need to test yourself ;-)

Christian Boltz (cboltz) wrote :

Patch sent to the mailinglist for review - https://lists.ubuntu.com/archives/apparmor/2015-December/008922.html

I'm quite sure the Ubuntu package is too old to apply just this patch, so you might want to get the latest code from the bzr 2.9 branch and apply it there.

Changed in apparmor:
status: New → In Progress
assignee: nobody → Christian Boltz (cboltz)
Christian Boltz (cboltz) wrote :

Patch commited to bzr (trunk, 2.10 and 2.9 branch)

Changed in apparmor:
status: In Progress → Fix Committed
milestone: none → 2.11
Aki Tuomi (cmouse-desteem) wrote :

I think I'm happy that it's been fixed. I was able to figure out the "root cause" for the troubles, so I don't need aa-genprof and aa-logprof at all for this. It is bit bad though that there is no tool that would just show you the rules it would generate instead of updating profile directory.

Christian Boltz (cboltz) wrote :

You can use aa-logprof and, before saving the changes, use "(v)iew Changes" or "View Changes b/w (C)lean profiles" to see the added rules and also the removed rules that are obsoleted by added rules. Afterwards, abort instead of changing the profiles ;-)

That said - maybe your idea of a tool that translates a log to a list of missing rules isn't that bad. Let me think about it for a while ;-)

Tyler Hicks (tyhicks) on 2016-03-19
Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
status: New → Triaged
importance: Undecided → Low
Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package apparmor - 2.10.95-0ubuntu1

---------------
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium

  * Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
    - Allow Apache prefork profile to chown(2) files (LP: #1210514)
    - Allow deluge-gtk and deluge-console to handle torrents opened in
      browsers (LP: #1501913)
    - Allow file accesses needed by some programs using libnl-3-200
      (Closes: #810888)
    - Allow file accesses needed on systems that use NetworkManager without
      resolvconf (Closes: #813835)
    - Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
    - Fix aa-logprof(8) crash when operating on files containing multiple
      profiles with certain rules (LP: #1528139)
    - Fix log parsing crashes, in the Python utilities, caused by certain file
      related events (LP: #1525119, LP: #1540562)
    - Fix log parsing crasher, in the Python utilities, caused by certain
      change_hat events (LP: #1523297)
    - Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
      when Python 3 is not available (LP: #1513880)
    - Send aa-easyprof(8) error messages to stderr instead of stdout
      (LP: #1521400)
    - Fix aa-autodep(8) failure when the shebang line of a script contained
      parameters (LP: #1505775)
    - Don't depend on the system logprof.conf when running utils/ build tests
      (LP: #1393979)
    - Fix apparmor_parser(8) bugs when parsing profiles that use policy
      namespaces in the profile declaration or profile transition targets
      (LP: #1540666, LP: #1544387)
    - Regression fix for apparmor_parser(8) bug that resulted in the
      --namespace-string commandline option being ignored causing profiles to
      be loaded into the root policy namespace (LP: #1526085)
    - Fix crasher regression in apparmor_parser(8) when the parser was asked
      to process a directory (LP: #1534405)
    - Fix bug in apparmor_parser(8) to honor the specified bind flags remount
      rules (LP: #1272028)
    - Support tarball generation for Coverity scans and fix a number of issues
      discovered by Coverity
    - Fix regression test failures on s390x systems (LP: #1531325)
    - Adjust expected errno values in changeprofile regression test
      (LP: #1559705)
    - The Python utils gained support for ptrace and signal rules
    - aa-exec(8) received a rewrite in C
    - apparmor_parser(8) gained support for stacking multiple profiles, as
      supported by the Xenial kernel (LP: #1379535)
    - libapparmor gained new public interfaces, aa_stack_profile(2) and
      aa_stack_onexec(2), allowing applications to utilize the new kernel
      stacking support (LP: #1379535)
  * Drop the following patches since they've been incorporated upstream:
    - aa-status-dont_require_python3-apparmor.patch
    - r3209-dnsmasq-allow-dash
    - r3227-locale-indep-capabilities-sorting.patch
    - r3277-update-python-abstraction.patch
    - r3366-networkd.patch,
    - tests-fix_sysctl_test.patch
    - parser-fix-cache-file-mtime-regression.patch
    - parser-verify-cache-file-mtime.patch
    - parser-run-caching-tests-without-apparmorfs.patch
    - pa...

Read more...

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
Christian Boltz (cboltz) on 2017-01-10
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers