Ubuntu
gpsd package

Bug #1872175
Comment #21

Comment 21 for bug 1872175

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-04-29:

#21

In the meantime I also was able to track down that sys_ptrace was for fusercount.
So no adding that was ok, since it triggers only a few times (even seems to be only once per reboot) I'm not sure about adding a denial - it is not as log-filling as the other case was.

I further debugged for the dac_read_search as jdstrand asked for.
Yes it also is from the fusercnt search and can be dropped.

I tried various setups and got cases with up to 3xdac_read_search and 3xsys_ptrace.
Sometimes it also triggers dac_override.
All of that belongs to fusercount and can be blocked without a functional drawback.

I further found that it will hit two more cap checks on a clean setup after reboot:

apparmor="DENIED" operation="capable" profile="/usr/sbin/gpsd" pid=8783 comm="gpsd" capability=16 capname="sys_module"

Those two is when gpsd starts and `pps_ldisc` isn't loaded yet.
Interestingly enough it is able to load it despite the denials.
That is because the kernel implicitly loads it on pps creation.
So we can deny the general capability to load/unload modules for gpsd process and not loose functionality nor get the log filled every time.

Ok so as final result we have the following rules which will have no log filling denials and allow to work with PPS devices just nicely (until we find a very special other device that behaves differently).

1. flags
/usr/sbin/gpsd flags=(attach_disconnected) {

2. rules
# required for pps initialization
capability sys_time,
/sys/devices/virtual/pps/ r,

# to submit data to chrony
ptrace read peer=/usr/sbin/chronyd,

# for libusb
/sys/devices/**/usb[0-9]*/** r,

# triggered on fusercount, not strictly required and unsafe to allow
# adding a denial rule silences the warnings
deny ptrace read peer=unconfined,
deny capability sys_ptrace,
deny capability dac_read_search,
deny capability dac_override,

# gpsd tries to load pps_ldisc directly, but gpsd doesn't need
# the general power of sys_module, pps_ldisc is auto-loaded
# by the kernel when gpsd is creating the pps device
deny capability sys_module,

I further debugged for the dac_read_search as jdstrand asked for.
Yes it also is from the fusercnt search and can be dropped.

I further found that it will hit two more cap checks on a clean setup after reboot:

apparmor="DENIED" operation="capable" profile="/usr/sbin/gpsd" pid=8783 comm="gpsd" capability=16  capname="sys_module"

Those two  is when gpsd starts and `pps_ldisc` isn't loaded yet.
Interestingly enough it is able to load it despite the denials.
That is because the kernel implicitly loads it on pps creation.
So we can deny the general capability to load/unload modules for gpsd process and not loose functionality nor get the log filled every time.

1. flags
/usr/sbin/gpsd flags=(attach_disconnected) {

2. rules
 # required for pps initialization
 capability sys_time,
 /sys/devices/virtual/pps/ r,

# to submit data to chrony
 ptrace read peer=/usr/sbin/chronyd,

# for libusb
 /sys/devices/**/usb[0-9]*/** r,

# triggered on fusercount, not strictly required and unsafe to allow
 # adding a denial rule silences the warnings
 deny ptrace read peer=unconfined,
 deny capability sys_ptrace,
 deny capability dac_read_search,
 deny capability dac_override,

# gpsd tries to load pps_ldisc directly, but gpsd doesn't need
 # the general power of sys_module, pps_ldisc is auto-loaded
 # by the kernel when gpsd is creating the pps device
 deny capability sys_module,

Ubuntugpsd package

Comment 21 for bug 1872175

Ubuntu
gpsd package