PermissionError for AppArmor Profiles i.e., SSH

Bug #1865450 reported by Shaheena Kazi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

I have created an AppArmor profile for SSH.
The profile is created successfully but each time I run aa-logprof it gives PermissionError: [Errno 13]

An example of the error:
<pre>Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 35, in &lt;module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 150, in cmd_enforce
    apparmor.set_enforce(profile, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 293, in set_enforce
    change_profile_flags(filename, program, 'complain', False)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 704, in change_profile_flags
    set_profile_flags(filename, program, newflags)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 753, in set_profile_flags
    os.rename(temp_file.name, prof_filename)
PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/usr.sbin.tcpdumpwvx1h0xl~' -> '/etc/apparmor.d/usr.sbin.tcpdump'
</pre>
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Traceback (most recent call last):
  File "/usr/sbin/aa-logprof", line 50, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1824, in do_logprof_pass
    save_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 1921, in save_profiles
    write_profile_ui_feedback(profile_name)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3404, in write_profile_ui_feedback
    write_profile(profile)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3413, in write_profile
    newprof = tempfile.NamedTemporaryFile('w', suffix='~', delete=False, dir=profile_dir)
  File "/usr/lib/python3.5/tempfile.py", line 688, in NamedTemporaryFile
    (fd, name) = _mkstemp_inner(dir, prefix, suffix, flags, output_type)
  File "/usr/lib/python3.5/tempfile.py", line 399, in _mkstemp_inner
    fd = _os.open(file, flags, 0o600)
PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/tmpujtge2jq~'

An unexpected error occurred!

For details, see /tmp/apparmor-bug report-5qnjyx3t.txt
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
root@protegrity-framework314:/var/www# aa-complain /etc/apparmor.d/*
Profile for /etc/apparmor.d/abstractions not found, skipping
Profile for /etc/apparmor.d/apache2.d not found, skipping
Setting /etc/apparmor.d/bin.ping to complain mode.
Profile for /etc/apparmor.d/cache not found, skipping
Profile for /etc/apparmor.d/disable not found, skipping
Setting /etc/apparmor.d/etc.opt.Cluster.cluster_config.status.xml to complain mode.
Setting /etc/apparmor.d/etc.opt.Cluster.cluster_config.xml to complain mode.
Traceback (most recent call last):
  File "/usr/sbin/aa-complain", line 35, in <module>
    tool.cmd_complain()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 165, in cmd_complain
    apparmor.set_complain(profile, program)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 286, in set_complain
    change_profile_flags(filename, program, 'complain', True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 704, in change_profile_flags
    set_profile_flags(filename, program, newflags)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 720, in set_profile_flags
    temp_file = tempfile.NamedTemporaryFile('w', prefix=prof_filename, suffix='~', delete=False, dir=profile_dir)
  File "/usr/lib/python3.5/tempfile.py", line 688, in NamedTemporaryFile
    (fd, name) = _mkstemp_inner(dir, prefix, suffix, flags, output_type)
  File "/usr/lib/python3.5/tempfile.py", line 399, in _mkstemp_inner
    fd = _os.open(file, flags, 0o600)
PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/etc.opt.Cluster.cluster_config.xml7m7t4rvb~'

An unexpected error occurred!

For details, see /tmp/apparmor-bugreport-oe_mo879.txt
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Secondly, once I accept this denial, AppArmor repeatedly gives similar denials for almost every profile.

I am using a security product and running it on Debian 9.
root@protegrity:/var/www# cat /etc/debian_version
9.9

I expect that these denials should not occur repeatedly.

Please do check.

Tags: apparmor
Revision history for this message
Shaheena Kazi (shaheenakazi) wrote :

Also, I am creating/ running as root.

tags: added: apparmor
Revision history for this message
John Johansen (jjohansen) wrote :

AppArmor does not currently cache denials except an extremely limited dedup for capabilities. Currently apparmor is relying on the audit subsystems rate limiting for it logging which you have rightly noted is insufficient.

AppArmor will continue to report a denial for the error until the profile is reloaded. genprof/logprof should do this when you save but I am pretty sure that is not happening in this case, given the other errors you are seeing.

You can manually reload the profile by doing

  sudo apparmor_parser -r /path/to/profile_name

A better apparmor specific dedup cache is in development but it won't land upstream until the 5.7 or 5.8 kernels.

As for the permission error, I am not sure what is going on but it appears that part of the problem is that the tools are not configured correctly. They are looking /etc/apparmor.d and not finding what they are looking for

  > Profile for /etc/apparmor.d/abstractions not found, skipping
  > Profile for /etc/apparmor.d/apache2.d not found, skipping
  > Setting /etc/apparmor.d/bin.ping to complain mode.
  > Profile for /etc/apparmor.d/cache not found, skipping
  > Profile for /etc/apparmor.d/disable not found, skipping

I know debian has the cache configured to /var/cache/apparmor so looking in /etc/apparmor.d for the cache is not right.

The failure to create the tmp file as root is interesting. How is your /etc/ mounted?

Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: [Bug 1865450] [NEW] PermissionError for AppArmor Profiles i.e., SSH

On Mon, Mar 02, 2020 at 09:15:56AM -0000, Shaheena Kazi wrote:
> Public bug reported:
>
> I have created an AppArmor profile for SSH.

ssh server or ssh client?

What profile transitions did you put into your profile?

> The profile is created successfully but each time I run aa-logprof it gives PermissionError: [Errno 13]
> PermissionError: [Errno 13] Permission denied: '/etc/apparmor.d/usr.sbin.tcpdumpwvx1h0xl~' -> '/etc/apparmor.d/usr.sbin.tcpdump'

Do you get an apparmor DENIED entry in your log for this?

Thanks

Revision history for this message
Shaheena Kazi (shaheenakazi) wrote :

Thanks John. It was a capability issue i.e., adding the CAP_MKNOD fixed the problems and I don't see the never ending denials anymore. :)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.