[apparmor] [patch] can ?not fix

Seth Arnold seth.arnold at canonical.com
Wed Dec 11 00:54:10 UTC 2013 

On Sun, Dec 08, 2013 at 03:41:17PM +0100, Christian Boltz wrote:
> Hello,
> 
> Am Donnerstag, 5. Dezember 2013 schrieb Seth Arnold:
> > On Thu, Dec 05, 2013 at 10:50:56PM +0100, Christian Boltz wrote:
> > > as discussed on #apparmor yesterday, here's the most important patch
> > > we've ever seen ;-)
> > > 
> > > References: https://bugzilla.novell.com/show_bug.cgi?id=853661
> 
> > Ha! The best part about this is that the entire section needs to be
> > re-written, as it is several years out of date:
> 
> Well, it's the first time I touched this file. You know what this means? ;-)
> 
> > So, while the patch itself looks good, there's bigger problems that
> > need to be fixed. :)
> 
> I was afraid of that ;-)

This is definitely better than what is there now -- especially the log
format changes -- but it's not quite complete.

> Here's an updated (and much bigger) patch that
> - removes the note about can ?not mknod
> - also removes mount and umount from the can ?not list which are covered
>   by mount rules now (are the remaining parts still valid?)

I think the entire list is incorrect; for fun, create_module(2) does not
even exist in the 2.6 and newer series of kernels.

We no longer forbid _any_ of the listed systemcalls; instead we mediate
based on the capabilities required for the system call in question. (And
for sysctl(2) it gets complicated quickly; I didn't spot a capable() check
following the code paths, and quickly found that the kernel is doing some
pretty gross string-re-writing tricks to make filenames out of sysctl
options, and then opening those files from within kernel context(!).)

I didn't see any outright-forbidden hooks in security/apparmor/lsm.c.

> - updates the example audit.log lines to the current log format
> - updates the description of the log format
>   BTW: Is the   
>       ("Name"is in quotes, because the process name is limited to 15 bytes; [...]
>   part still valid?

Yes, this part is still true, the 'comm' field is still mighty short.

Thanks!

> 
> 
> === modified file 'parser/apparmor.pod'
> --- parser/apparmor.pod 2010-12-20 20:29:10 +0000
> +++ parser/apparmor.pod 2013-12-08 14:32:51 +0000
> @@ -6,6 +6,9 @@
>  #    Copyright (c) 2010
>  #    Canonical Ltd. (All rights reserved)
>  #
> +#    Copyright (c) 2013
> +#    Christian Boltz (All rights reserved)
> +#
>  #    This program is free software; you can redistribute it and/or
>  #    modify it under the terms of version 2 of the GNU General Public
>  #    License published by the Free Software Foundation.
> @@ -89,43 +92,46 @@
>  cannot call the following system calls:
>  
>         create_module(2) delete_module(2) init_module(2) ioperm(2)
> -       iopl(2) mount(2) umount(2) ptrace(2) reboot(2) setdomainname(2)
> +       iopl(2) ptrace(2) reboot(2) setdomainname(2)
>         sethostname(2) swapoff(2) swapon(2) sysctl(2)
>  
> -A confined process can not call mknod(2) to create character or block devices.
> -
>  =head1 ERRORS
>  
>  When a confined process tries to access a file it does not have permission
>  to access, the kernel will report a message through audit, similar to:
>  
> -       audit(1148420912.879:96): REJECTING x access to /bin/uname
> -         (sh(6646) profile /tmp/sh active /tmp/sh)
> -
> -       audit(1148420912.879:97): REJECTING r access to /bin/uname
> -         (sh(6646) profile /tmp/sh active /tmp/sh)
> -
> -       audit(1148420944.837:98): REJECTING access to capability
> -         'dac_override' (sh(6641) profile /tmp/sh active /tmp/sh)
> -
> -
> -The permissions requested by the process are immediately after
> -REJECTING. The "name" and process id of the running program are reported,
> -as well as the profile name and any "hat" that may be active. ("Name"
> +       audit(1386511672.612:238): apparmor="DENIED" operation="exec" 
> +         parent=7589 profile="/tmp/sh" name="/bin/uname" pid=7605 
> +         comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> +
> +       audit(1386511672.613:239): apparmor="DENIED" operation="open" 
> +         parent=7589 profile="/tmp/sh" name="/bin/uname" pid=7605 
> +         comm="sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> +
> +       audit(1386511772.804:246): apparmor="DENIED" operation="capable"
> +         parent=7246 profile="/tmp/sh" pid=7589 comm="sh" pid=7589 
> +         comm="sh" capability=2  capname="dac_override"
> +
> +The permissions requested by the process are described in the operation=
> +and denied_mask= (for files - capabilities etc. use a slightly different
> +log format).
> +The "name" and process id of the running program are reported,
> +as well as the profile name including any "hat" that may be active, 
> +separated by "//". ("Name"
>  is in quotes, because the process name is limited to 15 bytes; it is the
> -same as reported through the Berkeley process accounting.) If no hat is
> -active (see aa_change_hat(2)) then the profile name is printed for "active".
> +same as reported through the Berkeley process accounting.)
>  
>  For confined processes running under a profile that has been loaded in 
>  complain mode, enforcement will not take place and the log messages 
>  reported to audit will be of the form:
>  
> -       audit(1146868287.904:237): PERMITTING r access to
> -         /etc/apparmor.d/tunables (du(3811) profile /usr/bin/du active
> -         /usr/bin/du)
> +       audit(1386512577.017:275): apparmor="ALLOWED" operation="open"
> +         parent=8012 profile="/usr/bin/du" name="/etc/apparmor.d/tunables/"
> +         pid=8049 comm="du" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>  
> -       audit(1146868287.904:238): PERMITTING r access to /etc/apparmor.d
> -         (du(3811) profile /usr/bin/du active /usr/bin/du)
> +       audit(1386512577.017:276): apparmor="ALLOWED" operation="open"
> +         parent=8012 profile="/usr/bin/du" name="/etc/apparmor.d/tunables/"
> +         pid=8049 comm="du" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>  
>  
>  If the userland auditd is not running, the kernel will send audit events
> 
> 
> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> Was spricht gegen einen Punkt im Expertenmodus:
>     [ ] Ich weiß nicht, was eine Partition ist.
> Wenn einer das anklickt, ist klar, daß er Anfänger ist.
> [Bernd Brodesser in suse-linux]
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131210/38c1fb66/attachment.pgp>

More information about the AppArmor mailing list