| 2020-08-07 20:10:52 |
Jamie Strandboge |
bug |
|
|
added bug |
| 2020-08-07 20:11:06 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Bionic |
|
| 2020-08-07 20:11:06 |
Jamie Strandboge |
bug task added |
|
linux (Ubuntu Bionic) |
|
| 2020-08-07 20:11:06 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Xenial |
|
| 2020-08-07 20:11:06 |
Jamie Strandboge |
bug task added |
|
linux (Ubuntu Xenial) |
|
| 2020-08-07 20:11:18 |
Jamie Strandboge |
linux (Ubuntu): status |
New |
Fix Released |
|
| 2020-08-07 20:12:18 |
Jamie Strandboge |
tags |
|
apparmor |
|
| 2020-08-07 20:12:25 |
Jamie Strandboge |
linux (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2020-08-07 20:12:27 |
Jamie Strandboge |
linux (Ubuntu Xenial): status |
New |
Confirmed |
|
| 2020-08-07 20:23:14 |
Jamie Strandboge |
summary |
'ptrace trace' needed to readlink() /proc/*/ns/* files |
'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels |
|
| 2020-08-10 16:13:04 |
Jamie Strandboge |
linux (Ubuntu Xenial): importance |
Undecided |
Medium |
|
| 2020-08-10 16:13:04 |
Jamie Strandboge |
linux (Ubuntu Xenial): status |
Confirmed |
Triaged |
|
| 2020-08-10 16:13:15 |
Jamie Strandboge |
linux (Ubuntu Bionic): status |
Confirmed |
Triaged |
|
| 2020-08-10 16:13:18 |
Jamie Strandboge |
linux (Ubuntu Bionic): importance |
Undecided |
Medium |
|
| 2020-08-10 16:13:31 |
Jamie Strandboge |
linux (Ubuntu Xenial): assignee |
|
John Johansen (jjohansen) |
|
| 2020-08-10 16:13:40 |
Jamie Strandboge |
linux (Ubuntu Bionic): assignee |
|
John Johansen (jjohansen) |
|
| 2021-07-16 18:54:11 |
Georgia Garcia |
description |
Per 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
This suggests that a 'ptrace read' rule should be sufficient to readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic (Ubuntu 20.04 LTS).
However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed. Here is a reproducer:
$ cat ./readlink-ns.c
#include <errno.h>
#include <linux/limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
void usage() {
fprintf(stderr, "Usage: readlink-ns -p <pid> -n <ns>\n");
}
int main(int argc, char *argv[])
{
pid_t pid = 0;
char *ns = NULL;
char path[PATH_MAX] = {};
char rpath[PATH_MAX] = {};
int c;
while ((c = getopt(argc, argv, "hn:p:")) != -1) {
switch(c) {
case 'n':
ns = optarg;
break;
case 'p':
pid = atoi(optarg);
break;
case 'h':
usage();
return 0;
case '?':
usage();
return 1;
default:
return 1;
}
}
int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
if (n < 0 || (size_t)n >= sizeof(path)) {
fprintf(stderr, "cannot format string\n");
return 1;
}
path[n] = '\0';
printf("path: %s\n", path);
n = readlink(path, rpath, sizeof(rpath));
if (n < 0) {
perror("readlink()");
return 1;
} else if (n == sizeof(rpath)) {
fprintf(stderr, "cannot readlink()\n");
return 1;
}
printf("rpath: %s\n", rpath);
return 0;
}
$ cat ./readlink-ns.apparmor
#include <tunables/global>
profile test {
#include <abstractions/base>
# focal
ptrace (read) peer="unconfined",
# xenial, bionic
#ptrace (trace) peer="unconfined",
}
# bionic and xenial need 'ptrace trace'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
readlink(): Permission denied
Denial:
Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400 audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test" pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace" peer="unconfined"
# focal needs only 'ptrace read'
$ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836] |
SRU Justification:
[Impact]
Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
only 'ptrace read' should be required according to 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links
is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
[Fix]
Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace
read check.
[Test Plan]
BugLink contains the source of a binary that reproduces the issue. In
summary, it executes readlink() on /proc/*/ns/*. There's also a policy
that has only 'ptrace read' permission. When the bug is fixed,
execution is allowed.
[Where problems could occur]
The regression can be considered as low, since it's lowering the number
of permissions required. Existing policies that already contain the
permission 'ptrace trace' and 'ptrace read' will have a broader policy
than required. |
|
| 2021-07-19 12:11:15 |
Georgia Garcia |
bug |
|
|
added subscriber Georgia Garcia |
| 2021-08-06 21:23:58 |
Kelsey Steele |
linux (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
| 2021-08-20 11:41:46 |
Ubuntu Kernel Bot |
tags |
apparmor |
apparmor verification-needed-bionic |
|
| 2021-08-20 13:59:52 |
Georgia Garcia |
tags |
apparmor verification-needed-bionic |
apparmor verification-done-bionic |
|
| 2021-09-07 14:48:32 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2021-09-07 14:48:32 |
Launchpad Janitor |
cve linked |
|
2021-3653 |
|
| 2021-09-07 14:48:32 |
Launchpad Janitor |
cve linked |
|
2021-3656 |
|
| 2021-09-24 19:01:44 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
