cross namespace ptrace should not be rejected by AppArmor

Bug #439560 reported by Jamie Strandboge
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
John Johansen

Bug Description

Today when doing iso testing I had one lone rejection:
type=APPARMOR_DENIED msg=audit(1254335664.040:117): operation="ptrace" info="different namespaces" error=-1 pid=2800 parent=1 profile="/usr/sbin/libvirtd" tracer=2800 tracee=32721

I am not sure how to reproduce this, but I think that the libvirtd daemon tried to ptrace a kvm process because of the way I killed of the VM. Bottom line, libvirtd is in one namespace and all the confined VMs are in others. It doesn't appear to be a huge issue right now, but should be addressed in Ubuntu 10.04. If it causes problems in 9.10, we can SRU the fix.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Assigning to John per IRC discussion.

Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → Medium
milestone: none → later
status: New → Triaged
Revision history for this message
John Johansen (jjohansen) wrote :

This can be reproduced by using the clone syscall with the CLONE_NEWNS flag set and then either parent or child doing a ptrace on the other.

Revision history for this message
John Johansen (jjohansen) wrote :

The easiest fix for this is just disabling this specific part of the ptrace test. The test isn't strictly necessary but is rather a legacy artifact from how earlier versions applied ptrace. The test is being removed in future version, which have extended ptrace rules.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.32-14.19

---------------
linux (2.6.32-14.19) lucid; urgency=low

  [ Andy Whitcroft ]

  * ensure we build the source package contents when enabled
    - LP: #522308
  * [Config] enable CONFIG_X86_MCE_XEON75XX
  * SAUCE: AppArmor -- add linux/kref.h for struct kref
  * [Config] enable CONFIG_HID_ORTEK
  * enable udeb generation for arm versatile flavour
    - LP: #522515

  [ John Johansen ]

  * ubuntu: AppArmor -- update to mainline 2010-02-18
    - LP: #439560, #496110, #507069

  [ Johnathon Harris ]

  * SAUCE: HID: add support for Ortek WKB-2000
    - LP: #405390

  [ Upstream Kernel Changes ]

  * tpm_tis: TPM_STS_DATA_EXPECT workaround
    - LP: #490487
  * x86, mce: Xeon75xx specific interface to get corrected memory error
    information
  * x86, mce: Rename cpu_specific_poll to mce_cpu_specific_poll
  * x86, mce: Make xeon75xx memory driver dependent on PCI
  * drm/edid: Unify detailed block parsing between base and extension
    blocks
    - LP: #500999
  * (pre-stable) eCryptfs: Add getattr function
    - LP: #390833
 -- Andy Whitcroft <email address hidden> Thu, 18 Feb 2010 19:22:02 +0000

Changed in linux (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lucid' to 'verification-done-lucid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-lucid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers