AppArmor complain doesn't always allow requested accesses, doesn't log errors

Bug #748656 reported by Seth Arnold
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linux
Fix Released
Undecided
auto-apparmor
linux (Ubuntu)
Fix Released
Undecided
John Johansen
Lucid
Won't Fix
Undecided
John Johansen
Maverick
Invalid
Undecided
John Johansen
Natty
Fix Released
Undecided
John Johansen
linux-ti-omap4 (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Maverick
Invalid
Undecided
Unassigned
Natty
Fix Released
Undecided
Unassigned

Bug Description

SRU Justification:

    Impact: Can result in confined application failure with no information logged on how to fix the problem.
    Fix: Do not mask the capabilities returned by capget when in complain mode, this allows the application
         to progress as expected and request the capabilities it will need.

         Patch from upstream AppArmor, backported for Lucid and Maverick.
    Testcase: Run the attached C test program as root. When run unconfined it will output a hex number corresponding to the effective caps of root. Confine the application with a profile in complain mode using aa-genprof /path/to/test/program. On a none patched kernel it will return 0 as its capability set, on a patched kernel it will return the same capability set as the unconfined run.

Problem was discovered in both upstream kernel and in Ubuntu Natty beta kernels. The problem is a regression from Ubuntu Maverick and earlier releases.

When creating a profile for openssh-server, sshd, using the standard AppArmor profile development tools, a _partial_ profile is created and loaded correctly. When trying to iterate the development of the profile, I found that I was unable to log in to the machine via sshd, even though the AppArmor profile had flags=(complain,) at the beginning.

Removing the profile using apparmor_parser --remove /etc/apparmor.d/usr.sbin.sshd allowed the logins to succeed. Reloading the profile and restarting sshd recreates the problem.

The logfiles don't show any REJECT messages; a handful of ALLOWED messages are printed early on, but then _no_ log entries are generated.

The client quits with "broken pipe" errors.

Tags: patch
Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
Changed in linux (Ubuntu Maverick):
assignee: nobody → John Johansen (jjohansen)
Changed in linux (Ubuntu Lucid):
assignee: nobody → John Johansen (jjohansen)
Revision history for this message
John Johansen (jjohansen) wrote :

This is being caused by the apparmor profile masking the capability set, even in complain mode. ssd is requesting the capability set and then modifying its behavior based off of the reduced capability set, and then DAC does the actual reject.

AppArmor doesn't generate any messages hinting at this because,
1. the task checking its capability set is not a privileged operation (it is just masked)
2. sshd is modifying its behavior based on the retrieved capability set and does not ask for or try to use the capabilities it requires, so apparmor does not generate a log message recording which capabilities are needed.

This problem can be worked around by adding capabilities to the profile one by one, and reloading the profile. And testing if the behavior has changed.

It is fixed by not masking the read capability set of the task in complain mode as the task should effectively have all capabilities. Patch attached, and test kernel at

kernel.ubuntu.com/~jj/linux-image-2.6.38-8-generic_2.6.38-8.40~sarnold_amd64.deb

Revision history for this message
John Johansen (jjohansen) wrote :

This is being caused by the apparmor profile masking the capability set, even in complain mode. ssd is requesting the capability set and then modifying its behavior based off of the reduced capability set, and then DAC does the actual reject.

AppArmor doesn't generate any messages hinting at this because,
1. the task checking its capability set is not a privileged operation (it is just masked)
2. sshd is modifying its behavior based on the retrieved capability set and does not ask for or try to use the capabilities it requires, so apparmor does not generate a log message recording which capabilities are needed.

This problem can be worked around by adding capabilities to the profile one by one, and reloading the profile. And testing if the behavior has changed.

It is fixed by not masking the read capability set of the task in complain mode as the task should effectively have all capabilities. Patch attached, and test kernel at

kernel.ubuntu.com/~jj/linux-image-2.6.38-8-generic_2.6.38-8.40~sarnold_amd64.deb

Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Natty):
status: New → Fix Committed
Revision history for this message
John Johansen (jjohansen) wrote :

Note: this bug does affect Lucid and Maverick code. It appears that sshd has been updated in such a way that this bug is triggered in Natty with natty sshd.

description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

John, thanks so much! I can confirm that I'm able to reliably develop profiles for sshd now! The ALLOWED and DENIED lines from the kernel once again line up with reality.

In addition, I've been running this kernel for several days doing more mundane things, and haven't noticed any new regressions with this kernel.

Thanks again John!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.38-8.42

---------------
linux (2.6.38-8.42) natty; urgency=low

  [ David Henningsson ]

  * SAUCE: (drop after 2.6.38) ALSA: HDA: Fix dock mic for Lenovo
    X220-tablet
    - LP: #751033

  [ Gustavo F. Padovan ]

  * SAUCE: Revert "Bluetooth: Add new PID for Atheros 3011"
    - LP: #720949

  [ Herton Ronaldo Krzesinski ]

  * SAUCE: (drop after 2.6.39) v4l: make sure drivers supply a zeroed
    struct v4l2_subdev
    - LP: #745213

  [ John Johansen ]

  * AppArmor: Fix masking of capabilities in complain mode
    - LP: #748656

  [ Leann Ogasawara ]

  * [Config] Disable CONFIG_RTS_PSTOR for armel, powerpc

  [ Manoj Iyer ]

  * SAUCE: (drop after 2.6.38) add support for Lenovo tablet ID (0xE6)
    - LP: #746652

  [ Steve Langasek ]

  * [Config] Make linux-libc-dev coinstallable under multiarch
    - LP: #750585

  [ Tim Gardner ]

  * [Config] CONFIG_RTS_PSTOR=m
    - LP: #698006

  [ Upstream Kernel Changes ]

  * Revert "tcp: disallow bind() to reuse addr/port"
    - LP: #731878
  * ALSA: HDA: Add dock mic quirk for Lenovo Thinkpad X220
    - LP: #746259
  * ALSA: HDA: New AD1984A model for Dell Precision R5500
    - LP: #741516
  * Input: sparse-keymap - report scancodes with key events
  * Input: sparse-keymap - report KEY_UNKNOWN for unknown scan codes
  * KVM: SVM: Load %gs earlier if CONFIG_X86_32_LAZY_GS=n
    - LP: #729085
  * watchdog: sp5100_tco.c: Check if firmware has set correct value in
    tcobase.
    - LP: #740011
  * staging: add rts_pstor for Realtek PCIE cardreader
    - LP: #698006
  * staging: fix rts_pstor build errors
    - LP: #698006
  * Staging: rts_pstor: fixed some brace code styling issues
    - LP: #698006
  * staging: rts_pstor: potential NULL dereference
    - LP: #698006
  * Staging: rts_pstor: fix read past end of buffer
    - LP: #698006
  * staging: rts_pstor: delete a function
    - LP: #698006
  * staging: rts_pstor: fix sparse warning
    - LP: #698006
  * staging: rts_pstor: fix a bug that a greenhouse sd card can't be
    recognized
    - LP: #698006
  * staging: rts_pstor: optimize kmalloc to kzalloc
    - LP: #698006
  * staging: rts_pstor: MSXC card power class
    - LP: #698006
  * staging: rts_pstor: modify initial card clock
    - LP: #698006
  * staging: rts_pstor: set lun_mode in a different place
    - LP: #698006
  * x86, hibernate: Initialize mmu_cr4_features during boot
    - LP: #752870
 -- Leann Ogasawara <email address hidden> Fri, 08 Apr 2011 09:24:59 -0700

Changed in linux (Ubuntu Natty):
status: Fix Committed → Fix Released
Tim Gardner (timg-tpi)
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Maverick):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Natty):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (38.0 KiB)

This bug was fixed in the package linux-ti-omap4 - 2.6.38-1209.15

---------------
linux-ti-omap4 (2.6.38-1209.15) natty-proposed; urgency=low

  * Release tracking bug
    - LP: #837761

  [ Paolo Pisati ]

  * [Config] Turn on CONFIG_USER_NS and DEVPTS_MULTIPLE_INSTANCES.
    - LP: #787749

  [ Tim Gardner ]

  * [Config] Add enic/fnic to nic-modules udeb, CVE-2011-1020
    - LP: #801610

  [ Upstream Kernel Changes ]

  * mpt2sas: prevent heap overflows and unchecked reads
    - LP: #780546
  * agp: fix arbitrary kernel memory writes
    - LP: #775809
  * can: add missing socket check in can/raw release
    - LP: #780546
  * agp: fix OOM and buffer overflow
    - LP: #775809
  * bonding: Incorrect TX queue offset, CVE-2011-1581
    - LP: #792312
    - CVE-2011-1581
  * fs/partitions/efi.c: corrupted GUID partition tables can cause kernel
    oops
    - LP: #795418
    - CVE-2011-1577
  * can: Add missing socket check in can/bcm release.
    - LP: #796502
    - CVE-2011-1598
  * USB: ehci: remove structure packing from ehci_def
    - LP: #791552
  * taskstats: don't allow duplicate entries in listener mode,
    CVE-2011-2484
    - LP: #806390
    - CVE-2011-2484
  * ext4: init timer earlier to avoid a kernel panic in __save_error_info,
    CVE-2011-2493
    - LP: #806929
    - CVE-2011-2493
  * dccp: handle invalid feature options length, CVE-2011-1770
    - LP: #806375
    - CVE-2011-1770
  * pagemap: close races with suid execve, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * report errors in /proc/*/*map* sanely, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * close race in /proc/*/environ, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * auxv: require the target to be tracable (or yourself), CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * deal with races in /proc/*/{syscall, stack, personality}, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * rose: Add length checks to CALL_REQUEST parsing, CVE-2011-1493
    - LP: #816550
    - CVE-2011-1493
  * GFS2: make sure fallocate bytes is a multiple of blksize, CVE-2011-2689
    - LP: #819572
    - CVE-2011-2689
  * Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
    - LP: #819569
    - CVE-2011-2492
  * Add mount option to check uid of device being mounted = expect uid,
    CVE-2011-1833
    - LP: #732628
    - CVE-2011-1833
  * ipv6: make fragment identifications less predictable, CVE-2011-2699
    - LP: #827685
    - CVE-2011-2699
  * perf: Fix software event overflow, CVE-2011-2918
    - LP: #834121
    - CVE-2011-2918
  * proc: fix oops on invalid /proc/<pid>/maps access, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020

linux-ti-omap4 (2.6.38-1209.13) natty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #772381

  [ Brad Figg ]

  * Ubuntu-2.6.38-9.43

  [ Bryan Wu ]

  * merge Ubuntu-2.6.38-9.43
  * cherry-pick 6 patches from u2 of 'for-ubuntu' branch
  * [Config] Sync up configs for 2.6.38.4

  [ Herton Ronaldo Krzesinski ]

  * SAUCE: Revert "x86, hibernate: Initialize mmu_cr4_features during boot"
    - LP: #764758

  [ Leann Ogasawara ]

  * [Config] updateconfigs for 2.6.38.4

  [ Paolo Pisati ]

  * [Conf...

Changed in linux-ti-omap4 (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "lp748656.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Paolo Pisati (p-pisati)
Changed in linux-ti-omap4 (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Julian Wiedmann (jwiedmann) wrote :

This release has reached end-of-life [0].

[0] https://wiki.ubuntu.com/Releases

Changed in linux (Ubuntu Maverick):
status: New → Invalid
Mathew Hodson (mhodson)
Changed in linux:
status: New → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in linux (Ubuntu Lucid):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

  • auto-apparmor Edit

Bug watches keep track of this bug in other bug trackers.