Package: apparmor
Version: 2.13.6-10
Severity: wishlist
When booting with boot=live (live-boot-initramfs-tools), apparmor is disabled:
https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/experimental/debian/apparmor.service#L17
https://salsa.debian.org/apparmor-team/apparmor/-/commit/675a4d80a9147c7278577d8043f885099db403a9
https://bugs.debian.org/922378
It's easy to miss this and think you're protected;
"systemctl --state=failed" doesn't say apparmor.service failed.
You have to notice that "aa-status" doesn't mention any profiles are loaded.
This affects not only pre-built Debian Live images, but also
abnormal people who run the same Debian install,
sometimes with "boot=local", and
sometimes with "boot=live" (so reboot will auto-rollback the OS).
I think this workaround is not necessary anymore!
apparmor works on Debian 11 Live!
(At least for msmtp; I have not tested evince & libreoffice yet.)
# NOTE: policy says msmtp can run /bin/cat but not /bin/tac:
root@main:~# msmtp --host=smtp.gmail.com --tls=on --port=587 --auto-from=on
--auth=on --user=THIS-IS-A-TEST --passwordeval='tac /etc/services' root <<< test
sh: 1: tac: Permission denied
msmtp: cannot read output of 'tac /etc/services'
Sep 30 20:34:33 main.lan kernel: audit: type=1400 audit(1632998073.404:35):
apparmor="DENIED" operation="exec" profile="msmtp//helpers" name="/usr/bin/tac"
pid=3112 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
root@main:~# msmtp --host=smtp.gmail.com --tls=on --port=587 --auto-from=on
--auth=on --user=THIS-IS-A-TEST --passwordeval='cat /etc/services' root <<< test
msmtp: authentication failed (method PLAIN)
msmtp: server message: 535-5.7.8 Username and Password not accepted. Learn
more at
msmtp: server message: 535 5.7.8
https://support.google.com/mail/?p=BadCredentials z22sm2054254pgn.81 - gsmtp
msmtp: could not send mail
A fuller transcript it attached.
The Debian Live image was built & booted using
https://github.com/cyberitsolutions/bootstrap2020/blob/main/debian-11-minimal.py
-- System Information:
Debian Release: 11.0
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990,
'stable'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
bash5$ ssh bootstrap2020
Warning: Permanently added '[localhost]:2022' (ED25519) to the list of known
hosts.
root@main:~# cat /etc/apparmor.d/usr.bin.msmtp
cat /etc/apparmor.d/usr.bin.msmtp
# Author: Simon Deziel <si...@sdeziel.info>
#include <tunables/global>
profile msmtp /usr/bin/msmtp flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/dbus-session-strict>
#include <abstractions/nameservice>
#include <abstractions/p11-kit>
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys>
/usr/bin/msmtp mr,
/etc/aliases r,
/etc/msmtprc r,
/etc/mailname r,
/etc/netrc r,
owner @{HOME}/.msmtp* r,
owner @{HOME}/.netrc r,
owner @{HOME}/.tls-crls r,
owner @{HOME}/.msmtp*.log wk,
/var/log/msmtp wk,
owner @{HOME}/**/*msmtprc r,
owner @{HOME}/.config/msmtp/* r,
owner @{HOME}/.cache/msmtp/* r,
owner @{HOME}/.cache/msmtp/*.log wk,
@{PROC}/@{pid}/loginuid r,
/tmp/ rw,
owner /tmp/* rw,
# to type password interactively
/dev/tty rw,
owner /dev/pts/[0-9]* rw,
dbus send
bus=session
interface=org.freedesktop.Secret.Service,
# secret helpers
/{,usr/}bin/bash Cx -> helpers,
/{,usr/}bin/dash Cx -> helpers,
profile helpers {
#include <abstractions/base>
/{,usr/}bin/bash mr,
/{,usr/}bin/dash mr,
/tmp/ rw,
owner /tmp/* rw,
/usr/bin/secret-tool PUx,
/usr/bin/gpg{,2} PUx,
/usr/bin/pass PUx,
/usr/bin/head PUx,
/usr/bin/keyring PUx,
/{,usr/}bin/cat PUx,
}
#include <local/usr.bin.msmtp>
}
root@main:~# msmtp --host=smtp.gmail.com --tls=on --port=587 --auto-from=on
--auth=on --user=THIS-IS-A-TEST --passwordeval=/bin/true root <<< test
<uth=on --user=THIS-IS-A-TEST --passwordeval=/bin/true root <<< test
sh: 1: /bin/true: Permission denied
msmtp: cannot read output of '/bin/true'
root@main:~# journalctl -k -n10
journalctl -k -n10
-- Journal begins at Thu 2021-09-30 20:01:24 AEST, ends at Thu 2021-09-30
20:10:32 AEST. --
Sep 30 20:01:26 localhost kernel: AVX2 version of gcm_enc/dec engaged.
Sep 30 20:01:26 localhost kernel: AES CTR mode by8 optimization enabled
Sep 30 20:01:26 localhost kernel: audit: type=1400 audit(1632996086.120:7):
apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslogd"
pid=250 comm="apparmor_parser"
Sep 30 20:01:26 localhost kernel: audit: type=1400 audit(1632996086.196:8):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="syslog-ng" pid=249 comm="apparmor_parser"
Sep 30 20:01:26 localhost kernel: audit: type=1400 audit(1632996086.220:9):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="/usr/bin/irssi" pid=257 comm="apparmor_parser"
Sep 30 20:01:26 localhost kernel: audit: type=1400 audit(1632996086.344:10):
apparmor="STATUS" operation="profile_load" profile="unconfined" name="msmtp"
pid=264 comm="apparmor_parser"
Sep 30 20:10:32 main.lan kernel: kauditd_printk_skb: 19 callbacks suppressed
Sep 30 20:10:32 main.lan kernel: audit: type=1400 audit(1632996632.276:30):
apparmor="DENIED" operation="capable" profile="msmtp//helpers" pid=3085
comm="sh" capability=7 capname="setuid"
Sep 30 20:10:32 main.lan kernel: audit: type=1400 audit(1632996632.276:31):
apparmor="DENIED" operation="capable" profile="msmtp//helpers" pid=3085
comm="sh" capability=6 capname="setgid"
Sep 30 20:10:32 main.lan kernel: audit: type=1400 audit(1632996632.276:32):
apparmor="DENIED" operation="exec" profile="msmtp//helpers" name="/bin/true"
pid=3086 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
root@main:~# systemctl cat apparmor
systemctl cat apparmor
# /lib/systemd/system/apparmor.service
[Unit]
Description=Load AppArmor profiles
DefaultDependencies=no
Before=sysinit.target
After=local-fs.target
After=systemd-journald-audit.socket
RequiresMountsFor=/var/cache/apparmor
AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
ConditionSecurity=apparmor
Documentation=man:apparmor(7)
Documentation=https://gitlab.com/apparmor/apparmor/wikis/home/
# Don't start this unit on the Ubuntu Live CD
ConditionPathExists=!/rofs/etc/apparmor.d
# Don't start this unit on the Debian Live CD when using overlayfs
ConditionPathExists=!/run/live/overlay/work
[Service]
Type=oneshot
ExecStart=/lib/apparmor/apparmor.systemd reload
ExecReload=/lib/apparmor/apparmor.systemd reload
# systemd maps 'restart' to 'stop; start' which means removing AppArmor
confinement
# from running processes (and not being able to re-apply it later).
# Upstream systemd developers refused to implement an option that allows
overriding
# this behaviour, therefore we have to make ExecStop a no-op to error out on the
# safe side.
#
# If you really want to unload all AppArmor profiles, run aa-teardown
ExecStop=/bin/true
RemainAfterExit=yes
[Install]
WantedBy=sysinit.target
#
/etc/systemd/system/apparmor.service.d/bootstrap2020-enable-despite-debian-live.conf
# Debian 11 tells apparmor not to start in Debian Live.
#
#
https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/experimental/debian/apparmor.service#L17
#
https://salsa.debian.org/apparmor-team/apparmor/-/commit/675a4d80a9147c7278577d8043f885099db403a9
# https://bugs.debian.org/922378
#
# It does this by checking if /run/live/overlay/work exists.
# This is just a heuristic, the *ACTUAL* problem is/was that
# apparmor paths like /etc/foo canonicalize to /run/live/overlay/root/etc/foo
when using overlayfs.
#
# Nevertheless we can TRY turning this off and see if things get better...
# https://forums.whonix.org/t/live-mode-breaks-apparmor/7559
[Unit]
ConditionPathExists=
root@main:~# cat /proc/cmdline
cat /proc/cmdline
boot=live plainroot root=/dev/vda earlyprintk=ttyS0 console=ttyS0 loglevel=1
root@main:~# cat /proc/self/mountinfo
cat /proc/self/mountinfo
21 31 0:19 / /sys rw,nosuid,nodev,noexec,relatime shared:14 - sysfs sysfs rw
22 31 0:20 / /proc rw,nosuid,nodev,noexec,relatime shared:19 - proc proc rw
23 31 0:5 / /dev rw,nosuid,relatime shared:6 - devtmpfs udev
rw,size=236292k,nr_inodes=59073,mode=755
24 23 0:21 / /dev/pts rw,nosuid,noexec,relatime shared:7 - devpts devpts
rw,gid=5,mode=620,ptmxmode=000
25 31 0:22 / /run rw,nosuid,nodev,noexec,relatime shared:9 - tmpfs tmpfs
rw,size=48680k,mode=755
26 25 254:0 / /run/live/rootfs/filesystem ro,noatime shared:10 - squashfs
/dev/vda ro
27 25 254:0 / /run/live/medium ro,noatime shared:11 - squashfs /dev/vda ro
28 25 0:23 / /run/live/overlay rw,noatime shared:12 - tmpfs tmpfs
rw,size=243384k,mode=755
31 1 0:24 / / rw,noatime shared:1 - overlay overlay
rw,lowerdir=/run/live/rootfs/filesystem/,upperdir=/run/live/overlay/rw,workdir=/run/live/overlay/work
32 31 0:22 /live /lib/live/mount rw,nosuid,nodev,noexec,relatime shared:2 -
tmpfs tmpfs rw,size=48680k,mode=755
33 32 254:0 / /lib/live/mount/rootfs/filesystem ro,noatime shared:3 - squashfs
/dev/vda ro
34 32 254:0 / /lib/live/mount/medium ro,noatime shared:4 - squashfs /dev/vda ro
35 32 0:23 / /lib/live/mount/overlay rw,noatime shared:5 - tmpfs tmpfs
rw,size=243384k,mode=755
36 21 0:6 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:15 -
securityfs securityfs rw
37 23 0:27 / /dev/shm rw,nosuid,nodev shared:8 - tmpfs tmpfs rw
38 25 0:28 / /run/lock rw,nosuid,nodev,noexec,relatime shared:13 - tmpfs tmpfs
rw,size=5120k
39 21 0:29 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:16 - cgroup2
cgroup2 rw,nsdelegate,memory_recursiveprot
40 21 0:30 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:17 - pstore
pstore rw
41 21 0:31 / /sys/fs/bpf rw,nosuid,nodev,noexec,relatime shared:18 - bpf none
rw,mode=700
42 22 0:32 / /proc/sys/fs/binfmt_misc rw,relatime shared:20 - autofs systemd-1
rw,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=9513
43 23 0:18 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:21 - mqueue
mqueue rw
44 21 0:10 / /sys/kernel/tracing rw,nosuid,nodev,noexec,relatime shared:22 -
tracefs tracefs rw
45 23 0:33 / /dev/hugepages rw,relatime shared:23 - hugetlbfs hugetlbfs
rw,pagesize=2M
46 21 0:7 / /sys/kernel/debug rw,nosuid,nodev,noexec,relatime shared:24 -
debugfs debugfs rw
47 21 0:34 / /sys/kernel/config rw,nosuid,nodev,noexec,relatime shared:25 -
configfs configfs rw
48 21 0:35 / /sys/fs/fuse/connections rw,nosuid,nodev,noexec,relatime shared:26
- fusectl fusectl rw
49 31 0:36 / /tmp rw,nosuid,nodev,relatime shared:27 - tmpfs tmpfs rw
387 25 0:43 / /run/user/0 rw,nosuid,nodev,relatime shared:225 - tmpfs tmpfs
rw,size=48676k,nr_inodes=12169,mode=700
bash5$ ssh bootstrap2020
Warning: Permanently added '[localhost]:2022' (ED25519) to the list of known
hosts.
root@main:~# dpkg-query -W msmtp apparmor linux-image-cloud-amd64
dpkg-query -W msmtp apparmor linux-image-cloud-amd64
apparmor 2.13.6-10
linux-image-cloud-amd64 5.10.46-5
msmtp 1.8.11-2.1
root@main:~# # Oh crap! I should also confirm that the allow list is allowed!
# Oh crap! I should also confirm that the allow list is allowed!
root@main:~# msmtp --host=smtp.gmail.com --tls=on --port=587 --auto-from=on
--auth=on --user=THIS-IS-A-TEST --passwordeval='tac /etc/services' root <<< test
< --auth=on --user=THIS-IS-A-TEST --passwordeval='tac /etc/services' root <<<
test
sh: 1: tac: Permission denied
msmtp: cannot read output of 'tac /etc/services'
root@main:~# msmtp --host=smtp.gmail.com --tls=on --port=587 --auto-from=on
--auth=on --user=THIS-IS-A-TEST --passwordeval='cat /etc/services' root <<< test
< --auth=on --user=THIS-IS-A-TEST --passwordeval='cat /etc/services' root <<<
test
msmtp: authentication failed (method PLAIN)
msmtp: server message: 535-5.7.8 Username and Password not accepted. Learn more
at
msmtp: server message: 535 5.7.8
https://support.google.com/mail/?p=BadCredentials z22sm2054254pgn.81 - gsmtp
msmtp: could not send mail
root@main:~# journalctl -kn3
journalctl -kn3
-- Journal begins at Thu 2021-09-30 20:01:24 AEST, ends at Thu 2021-09-30
20:34:33 AEST. --
Sep 30 20:34:33 main.lan kernel: audit: type=1400 audit(1632998073.404:33):
apparmor="DENIED" operation="capable" profile="msmtp//helpers" pid=3111
comm="sh" capability=7 capname="setuid"
Sep 30 20:34:33 main.lan kernel: audit: type=1400 audit(1632998073.404:34):
apparmor="DENIED" operation="capable" profile="msmtp//helpers" pid=3111
comm="sh" capability=6 capname="setgid"
Sep 30 20:34:33 main.lan kernel: audit: type=1400 audit(1632998073.404:35):
apparmor="DENIED" operation="exec" profile="msmtp//helpers" name="/usr/bin/tac"
pid=3112 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
root@main:~# aa-status
aa-status
apparmor module is loaded.
28 profiles are loaded.
12 profiles are in enforce mode.
/usr/bin/pidgin
/usr/bin/pidgin//sanitized_helper
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/bin/totem//sanitized_helper
apt-cacher-ng
lsb_release
msmtp
msmtp//helpers
nvidia_modprobe
nvidia_modprobe//kmod
16 profiles are in complain mode.
/usr/bin/irssi
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
avahi-daemon
identd
klogd
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
