'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels

Bug #1890848 reported by Jamie Strandboge
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Xenial
Medium
John Johansen
Bionic
Medium
John Johansen

Bug Description

SRU Justification:

[Impact]
Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
only 'ptrace read' should be required according to 'man namespaces':

"Permission to dereference or read (readlink(2)) these symbolic links
is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."

[Fix]

Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace
read check.

[Test Plan]

BugLink contains the source of a binary that reproduces the issue. In
summary, it executes readlink() on /proc/*/ns/*. There's also a policy
that has only 'ptrace read' permission. When the bug is fixed,
execution is allowed.

[Where problems could occur]

The regression can be considered as low, since it's lowering the number
of permissions required. Existing policies that already contain the
permission 'ptrace trace' and 'ptrace read' will have a broader policy
than required.

CVE References

Changed in linux (Ubuntu):
status: New → Fix Released
tags: added: apparmor
Changed in linux (Ubuntu Bionic):
status: New → Confirmed
Changed in linux (Ubuntu Xenial):
status: New → Confirmed
summary: - 'ptrace trace' needed to readlink() /proc/*/ns/* files
+ 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
Revision history for this message
John Johansen (jjohansen) wrote :

We need to pick the upstream fix

338d0be437ef apparmor: fix ptrace read check

and we should probably pick

1f8266ff5884 (fix-setuid) apparmor: don't try to replace stale label in ptrace access check

to avoid other problems.

Revision history for this message
John Johansen (jjohansen) wrote :

We didn't pick this up automatically because its fixes tag is for when ptrace rules landed upstream. But ubuntu was carrying ptrace rules prior to this

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks John! Is this something that we can get into the next SRU cycle?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I spoke with John and he plans to SRU this. Marking as triaged and assigning to him. Thanks John!

Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
status: Confirmed → Triaged
Changed in linux (Ubuntu Bionic):
status: Confirmed → Triaged
importance: Undecided → Medium
Changed in linux (Ubuntu Xenial):
assignee: nobody → John Johansen (jjohansen)
Changed in linux (Ubuntu Bionic):
assignee: nobody → John Johansen (jjohansen)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, John provided me a test kernel for 18.04 and it resolved the issue. This will be the basis of the SRU.

Revision history for this message
Georgia Garcia (georgiag) wrote :

From the commits mentioned that solve the issue, 338d0be437ef was not available on 4.15 kernels. The cherry-pick was submitted to the kernel team for approval.

description: updated
Revision history for this message
Ian Johnson (anonymouse67) wrote :

Also to be clear, from jjohansen's comment to me last week, all of the necessary patches are available in the 5.4 focal kernel, so kernels for UC20 from canonical snaps should contain this fix on the 20 track.

Changed in linux (Ubuntu Bionic):
status: Triaged → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Georgia Garcia (georgiag) wrote :

Tested on bionic-proposed using the test binary that can be obtained in the old description and it worked as expected:

root@ubuntu:~# gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
root@ubuntu:~# uname -a
Linux ubuntu 4.15.0-156-generic #163-Ubuntu SMP Thu Aug 19 23:31:58 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (33.7 KiB)

This bug was fixed in the package linux - 4.15.0-156.163

---------------
linux (4.15.0-156.163) bionic; urgency=medium

  * bionic/linux: 4.15.0-156.163 -proposed tracker (LP: #1940162)

  * linux (LP: #1940564)
    - SAUCE: Revert "scsi: core: Cap scsi_host cmd_per_lun at can_queue"

  * fails to launch linux L2 guests on AMD (LP: #1940134) // CVE-2021-3653
    - KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl
      (CVE-2021-3653)

  * fails to launch linux L2 guests on AMD (LP: #1940134)
    - SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits
      from L2 in int_ctl"

linux (4.15.0-155.162) bionic; urgency=medium

  * bionic/linux: 4.15.0-155.162 -proposed tracker (LP: #1939833)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.08.16)

  * CVE-2021-3656
    - SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

  * CVE-2021-3653
    - SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

  * dev_forward_skb: do not scrub skb mark within the same name space
    (LP: #1935040)
    - dev_forward_skb: do not scrub skb mark within the same name space

  * 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
    (LP: #1890848)
    - apparmor: fix ptrace read check

  * Bionic update: upstream stable patchset 2021-08-03 (LP: #1938824)
    - ALSA: usb-audio: fix rate on Ozone Z90 USB headset
    - media: dvb-usb: fix wrong definition
    - Input: usbtouchscreen - fix control-request directions
    - net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
    - usb: gadget: eem: fix echo command packet response issue
    - USB: cdc-acm: blacklist Heimann USB Appset device
    - ntfs: fix validity check for file name attribute
    - iov_iter_fault_in_readable() should do nothing in xarray case
    - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
    - ARM: dts: at91: sama5d4: fix pinctrl muxing
    - btrfs: send: fix invalid path for unlink operations after parent
      orphanization
    - btrfs: clear defrag status of a root if starting transaction fails
    - ext4: cleanup in-core orphan list if ext4_truncate() failed to get a
      transaction handle
    - ext4: fix kernel infoleak via ext4_extent_header
    - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit
    - ext4: remove check for zero nr_to_scan in ext4_es_scan()
    - ext4: fix avefreec in find_group_orlov
    - ext4: use ext4_grp_locked_error in mb_find_extent
    - can: gw: synchronize rcu operations before removing gw job entry
    - can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in
      TX path
    - SUNRPC: Fix the batch tasks count wraparound.
    - SUNRPC: Should wake up the privileged task firstly.
    - s390/cio: dont call css_wait_for_slow_path() inside a lock
    - rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path
    - iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA
      as volatile, too
    - iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR
    - iio: ltr501: ltr501_read_ps(): add missing endianness con...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This change regressed my apparmor profile for a script I'm working on, which walks over processes using python3-psutil, in bionic.

I have this config in the apparmor profile:

  capability sys_ptrace,
  ptrace trace,

With kernel 4.15.0-154-generic #161 it works.

With kernel 4.15.0-158-generic #166 I get a DENIED error and the script backtraces when reading, for example, /proc/<pid>/fd/0 of some process, with os.readlink():

[ 19.223703] audit: type=1400 audit(1632507704.072:30): apparmor="DENIED" operation="ptrace" profile="/etc/hostos-monitoring/plugins.d/process-monitoring" pid=1098 comm="process-monitor" requested_mask="read" denied_mask="read" peer="unconfined"

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers