missing apparmor rules

Bug #1658233 reported by Kees Cook on 2017-01-20
This bug affects 13 people
Affects Status Importance Assigned to Milestone
mysql-5.7 (Ubuntu)

Bug Description

Missing from apparmor rules:

  /sys/devices/system/node/ r,
  /sys/devices/system/node/** r,

ChristianEhrhardt (paelzer) wrote :

thank you for your report and your help to make Ubuntu better!

We build with libnuma-dev which should auto-enable https://bugs.mysql.com/bug.php?id=72811.

Might I ask you to describe what effect you see by this missing (other than the Denie in the log) - just to help rating the importance and urgency.

If you happen to brute force it disabled (not recommended in the long run) via
ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
Does it give you any extra capability/feature that was missing before?

The reason I ask is that there are quite often non-fatal denies like that which e.g. do not need an SRU. While at other times they almost disables a feature like it could do to numa in this case.

Changed in mysql-5.7 (Ubuntu):
status: New → Incomplete
Simon Déziel (sdeziel) wrote :

I'm also noticing those on Xenial systems:

audit: type=1400 audit(1485382778.520:28): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/752/status" pid=752 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=110
audit: type=1400 audit(1485382778.520:29): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=752 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=110 ouid=0

On the affected system, there was no noticeable impact (yet?) other than the denials, so I'd say it's low impact.

On top of the rules mentioned by Kees, adding this one would silence the other denial:

  owner @{PROC}/@{pid}/status r,

Once all 3 rules were added to a test system, no more denials were logged.

Kees Cook (kees) wrote :

I added this to the base profile, since other processes tripped over that one. (It's in a separate bug report)

ChristianEhrhardt (paelzer) wrote :

Thank you Simon and Kees,
I personally would not want it allowed in my base profile - but I'll leave that for the other bug to decide.
We certainly can consider adding it to mysql together with the others.

I feel relieved that the impact seems low, but OTOH that means it likely boils down to a community effort.
So if one wants to provide a debdiff to be reviewed and integrated, please go for it.

Changed in mysql-5.7 (Ubuntu):
status: Incomplete → Confirmed
importance: Undecided → Low
status: Confirmed → Triaged
Simon Déziel (sdeziel) wrote :

The addition of "@{PROC}/@{pid}/status r," is tracked in LP: #1658239.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.