[Kernel-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker

Jamie Strandboge Fri, 07 Nov 2014 12:11:29 -0800

** Description changed:

  I was helping a docker user out in #apparmor on OFTC and I think we
- found a kernel bug. Filing this on behalf of the user.
+ found a kernel bug in the 14.04 kernel.
  
- The user added the following to the base abstraction then reloaded policy:
-   ptrace peer=@{profile_name},
- 
- but had denials like this:
-   apparmor="DENIED" operation="ptrace" profile="docker-default" pid=15426 
comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default"
- 
- The user tried this rule too, but it didn't work:
-   ptrace peer=docker-default,
- 
- The user had to use 'ptrace,' instead to make the denials go away.
+ root@cerise:/etc/apparmor.d# cat /proc/version_signature
+ Ubuntu 3.13.0-32.57-generic 3.13.11.4
  
  Steps to reproduce:
  1. adjust /etc/apparmor.d/abstractions/base to have:
-   ptrace peer=@{profile_name},
+   ptrace peer=@{profile_name},
  2. sudo apt-get install docker.io
  3. sudo docker pull ubuntu:trusty
  4. Run 'ps' inside docker:
-    $ sudo docker run -i -t ubuntu:trusty bash
-    root@5039d725a41d:/# ps
-    ...
-    root@5039d725a41d:/# exit
-    $
+    $ sudo docker run -i -t ubuntu:trusty bash
+    root@5039d725a41d:/# ps
+    ...
+    root@5039d725a41d:/# exit
+    $
  
- Then observe the following denials on the host:
+ Then observe the following denials on the host, which should have been 
addressed in the rule added in step 1:
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 
audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" 
profile="docker-default" pid=27542 comm="ps" requested_mask="trace" 
denied_mask="trace" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 
audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" 
profile="docker-default" pid=27542 comm="ps" requested_mask="read" 
denied_mask="read" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 
audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" 
profile="docker-default" pid=27542 comm="ps" requested_mask="read" 
denied_mask="read" peer="docker-default"
+ 
+ Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
+ works as expected (note, the policy is different on 14.10 and it already
+ has the rule from step 1).
  
  Note, docker is different than most applications in that it embeds its
  policy inside the docker binary and this binary when launched as a
  daemon (ie, via the upstart job) will unconditionally write out the
  policy to /etc/apparmor.d/docker-default. As such, to modify the policy:
  
  0. install docker.io and pull a trusty image # only has to be done once
  1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
- 2. sudo stop docker.io
+ 2. sudo stop docker.io      # 'docker' on 14.10
  3. sudo apparmor_parser -R /etc/apparmor.d/docker
  4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
- 5. sudo start docker.io
+ 5. sudo start docker.io     # 'docker' on 14.10
  6. Run 'ps' inside docker:
-    $ sudo docker run -i -t ubuntu:trusty bash
-    root@5039d725a41d:/# ps
-    ...
-    root@5039d725a41d:/# exit
-    $
+    $ sudo docker run -i -t ubuntu:trusty bash
+    root@5039d725a41d:/# ps
+    ...
+    root@5039d725a41d:/# exit
+    $
  
  (Docker just added a way to specify an alternate existing profile in
  https://docs.docker.com/reference/run/#security-configuration).
  
  Reference: https://github.com/docker/docker/issues/7276


** Description changed:

  I was helping a docker user out in #apparmor on OFTC and I think we
  found a kernel bug in the 14.04 kernel.
  
- root@cerise:/etc/apparmor.d# cat /proc/version_signature
- Ubuntu 3.13.0-32.57-generic 3.13.11.4
+ $ cat /proc/version_signature 
+ Ubuntu 3.13.0-37.64-generic 3.13.11.7
  
  Steps to reproduce:
  1. adjust /etc/apparmor.d/abstractions/base to have:
    ptrace peer=@{profile_name},
  2. sudo apt-get install docker.io
  3. sudo docker pull ubuntu:trusty
  4. Run 'ps' inside docker:
     $ sudo docker run -i -t ubuntu:trusty bash
     root@5039d725a41d:/# ps
     ...
     root@5039d725a41d:/# exit
     $
  
  Then observe the following denials on the host, which should have been 
addressed in the rule added in step 1:
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 
audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" 
profile="docker-default" pid=27542 comm="ps" requested_mask="trace" 
denied_mask="trace" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 
audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" 
profile="docker-default" pid=27542 comm="ps" requested_mask="read" 
denied_mask="read" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 
audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" 
profile="docker-default" pid=27542 comm="ps" requested_mask="read" 
denied_mask="read" peer="docker-default"
  
  Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
  works as expected (note, the policy is different on 14.10 and it already
  has the rule from step 1).
  
  Note, docker is different than most applications in that it embeds its
  policy inside the docker binary and this binary when launched as a
  daemon (ie, via the upstart job) will unconditionally write out the
  policy to /etc/apparmor.d/docker-default. As such, to modify the policy:
  
  0. install docker.io and pull a trusty image # only has to be done once
  1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
  2. sudo stop docker.io      # 'docker' on 14.10
  3. sudo apparmor_parser -R /etc/apparmor.d/docker
  4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
  5. sudo start docker.io     # 'docker' on 14.10
  6. Run 'ps' inside docker:
     $ sudo docker run -i -t ubuntu:trusty bash
     root@5039d725a41d:/# ps
     ...
     root@5039d725a41d:/# exit
     $
  
  (Docker just added a way to specify an alternate existing profile in
  https://docs.docker.com/reference/run/#security-configuration).
  
  Reference: https://github.com/docker/docker/issues/7276

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1390592

Title:
  'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with
  docker

Status in “linux” package in Ubuntu:
  Confirmed

Bug description:
  I was helping a docker user out in #apparmor on OFTC and I think we
  found a kernel bug in the 14.04 kernel.

  $ cat /proc/version_signature 
  Ubuntu 3.13.0-37.64-generic 3.13.11.7

  Steps to reproduce:
  1. adjust /etc/apparmor.d/abstractions/base to have:
    ptrace peer=@{profile_name},
  2. sudo apt-get install docker.io
  3. sudo docker pull ubuntu:trusty
  4. Run 'ps' inside docker:
     $ sudo docker run -i -t ubuntu:trusty bash
     root@5039d725a41d:/# ps
     ...
     root@5039d725a41d:/# exit
     $

  Then observe the following denials on the host, which should have been 
addressed in the rule added in step 1:
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 
audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" 
profile="docker-default" pid=27542 comm="ps" requested_mask="trace" 
denied_mask="trace" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 
audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" 
profile="docker-default" pid=27542 comm="ps" requested_mask="read" 
denied_mask="read" peer="docker-default"
  Nov  7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 
audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" 
profile="docker-default" pid=27542 comm="ps" requested_mask="read" 
denied_mask="read" peer="docker-default"

  Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10
  works as expected (note, the policy is different on 14.10 and it
  already has the rule from step 1).

  Note, docker is different than most applications in that it embeds its
  policy inside the docker binary and this binary when launched as a
  daemon (ie, via the upstart job) will unconditionally write out the
  policy to /etc/apparmor.d/docker-default. As such, to modify the
  policy:

  0. install docker.io and pull a trusty image # only has to be done once
  1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules
  2. sudo stop docker.io      # 'docker' on 14.10
  3. sudo apparmor_parser -R /etc/apparmor.d/docker
  4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker
  5. sudo start docker.io     # 'docker' on 14.10
  6. Run 'ps' inside docker:
     $ sudo docker run -i -t ubuntu:trusty bash
     root@5039d725a41d:/# ps
     ...
     root@5039d725a41d:/# exit
     $

  (Docker just added a way to specify an alternate existing profile in
  https://docs.docker.com/reference/run/#security-configuration).

  Reference: https://github.com/docker/docker/issues/7276

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1390592/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1390592] Re: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker

Reply via email to