Ubuntu
rsyslog package

AppArmor denials for rsyslog

Bug #2009230 reported by Georgia Garcia on 2023-03-03

10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	gce-compute-image-packages (Ubuntu)	New	Undecided	Unassigned
	Lunar	New	Undecided	Unassigned
	rsyslog (Ubuntu)	Fix Released	Undecided	Unassigned
	Lunar	Fix Released	Undecided	Unassigned

Bug Description

The AppArmor profile for rsyslog, which had been disabled on previous Ubuntu versions, was enabled in lunar.

The package google-compute-engine added a config file to rsyslog which requires rw access to /dev/console

google:ubuntu-23.04-64 /root# cat /etc/rsyslog.d/90-google.conf
# Google Compute Engine default console logging.
#
# daemon: logging from Google provided daemons.
# kern: logging information in case of an unexpected crash during boot.
#
daemon,kern.* /dev/console

google:ubuntu-23.04-64 /root# apt-file search /etc/rsyslog.d/90-google.conf
google-compute-engine: /etc/rsyslog.d/90-google.conf

So in gce cloud images, we are getting the following denials:

[ 1500.302082] audit: type=1400 audit(1677876883.728:495): apparmor="DENIED" operation="open" class="file" profile="rsyslogd" name="/dev/console" pid=603 comm=72733A6D61696E20513A526567 requested_mask="ac" denied_mask="ac" fsuid=101 ouid=0

To fix it, we just need to add
/dev/console rw,
to /etc/apparmor.d/usr.sbin.rsyslogd

or the same permission should be added to a file in /etc/apparmor.d/rsyslog.d/ by the google-compute-engine package

See original description

Related branches

~georgiag/ubuntu/+source/rsyslog:lunar-rsyslog-apparmor-console

Merged into ubuntu/+source/rsyslog:ubuntu/devel at revision 52155cafcd7e6de44615925e17f9882a6d1b32e0

Andreas Hasenack: Approve on 2023-03-24

git-ubuntu import: Pending requested 2023-03-24

Georgia Garcia (georgiag) on 2023-03-03

description:

updated

Revision history for this message

Chloé Smith (kajiya) wrote on 2023-03-07:

#1

Hey Georgia!

Thank you for the report - this is certainly something we could do on our end in the cloud image. Let us do some testing to ensure no regressions are introduced doing this. I'll come back with more information soon.

All the best,
Chlo

Revision history for this message

Georgia Garcia (georgiag) wrote on 2023-03-07:

#2

Hi Chlo!

I was just testing a fix that I did myself: https://launchpad.net/~georgiag/+archive/ubuntu/lp2009230/+packages
and it seemed to work as expected.

Revision history for this message

Chloé Smith (kajiya) wrote on 2023-03-23:

#3

Hey Georgia!

Sorry for the delay in writing back to you, I've been on a mix of PTO and sick leave the last couple of weeks...

I've prepared a MP to actually add the relevant config snippet (`/dev/console rw,`) into `/etc/apparmor.d/usr.sbin.rsyslogd` in our cloud bootstrap, tested it and it all seems well.

However, John (on our team) made a good point that the AppArmor profile may not have this snippet by design - I understand you guys in Security would probably have the most oversight into this currently so before I merge the code do you see any issues with us forcing the profile to accept rw access to /dev/console? If so that's cool, I just want to check seeing as this profile is only now being enabled in Lunar :)

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2023-03-23:

#4

> I just want to check seeing as this profile is only now being enabled in Lunar :)

Hi Chloé,

indeed this is the first time this profile is being enabled (and enforced) by default: ubuntu lunar.

Adding the /dev/console rule is easy enough, as you have figured out. I don't have objections, but would like security's opinion as well. We could also include the /etc/apparmor.d/abstractions/consoles abstraction for that matter, although that one also allows access to /dev/pts*.

Revision history for this message

John Johansen (jjohansen) wrote on 2023-03-23:

#5

Security's recommendation is to actually use the console abstraction, as that way you will pick up the improvements to console mediation automatically when they land

Revision history for this message

Georgia Garcia (georgiag) wrote on 2023-03-24:

#6

I added the consoles abstraction to the rsyslog AppArmor profile and I also had to add syslog to the tty group, otherwise rsyslog would not have been able to write to /dev/console due to file permissions (bug 1890177).

I added the proposed changes to this PPA https://launchpad.net/~georgiag/+archive/ubuntu/rsyslog-console

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2023-03-24:

#7

We talked a bit on IRC[1], and for now we will start with allowing just /dev/console access, specially since we are about to enter beta freeze, and that is the less invasive option.

We will later investigate (maybe still within the beta) the tty group membership issue. It looks like we had it before, so it's not clear how we lost it: on purpose, or if the change was just lost.

1. https://irclogs.ubuntu.com/2023/03/23/%23ubuntu-security.html#t19:19

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-03-31:

#8

This bug was fixed in the package rsyslog - 8.2302.0-1ubuntu3

---------------
rsyslog (8.2302.0-1ubuntu3) lunar; urgency=medium

* d/usr.sbin.rsyslog: allow access to /dev/console on the AppArmor policy
(LP: #2009230)

-- Georgia Garcia <email address hidden> Fri, 24 Mar 2023 11:28:25 -0300

Changed in rsyslog (Ubuntu Lunar):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.