[apparmor] [PATCH] apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task

Jeff Mahoney jeffm at suse.com
Fri Nov 6 20:44:34 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/6/15 3:34 PM, Seth Arnold wrote:
> On Fri, Nov 06, 2015 at 03:17:30PM -0500, Jeff Mahoney wrote:
>> While using AppArmor, SYS_CAP_RESOURCE is insufficient to call
>> prlimit on another task. The only other example of a AppArmor
>> mediating access to another, already running, task (ignoring
>> fork+exec) is ptrace.
>> 
>> The AppArmor model for ptrace is that one of the following must
>> be true: 1) The tracer is unconfined 2) The tracer is in complain
>> mode 3) The tracer and tracee are confined by the same profile 4)
>> The tracer is confined but has SYS_CAP_PTRACE
> 
> Thanks Jeff, this is going to take some time to think about.
> 
> I wonder though, and I thought I'd just ask since you're already
> thinking about this, is your problem not solved by the 'ptrace'
> permissions in profiles? One odd twist is that if both processes
> are confined with different profiles that one profile needs to
> allow ptracing and the other needs to allow being ptraced.

Sadly, this is a bit of a housecleaning trip.  I wrote this patch up
in April and realized this afternoon I hadn't submitted it.  My
thinking is no longer fresh.

I haven't tested it, but I can't see why the ptrace permission would
help here.  I'm using ptrace as an example of AppArmor mediating
access to another process - this case otherwise has nothing to do with
ptrace.

The issue here is more that a profile can be granted capability
sys_resource but can't actually use it to change the rlimits of
another process.  This is the result of a bug report that comes about
from libvirt adding a new hostdev device.  Unfortunately, it's not a
public report so I can't share it.

- -Jeff

> That'd look something like:
> 
> profile a { ptrace trace peer=b, }
> 
> profile b { ptrace tracedby peer=a, }
> 
> Of course your use may need the 'read' and 'readby' rules instead.
> 
> <abstractions/base> includes rules to allow all processes to be
> readby and tracedby all other processes (otherwise even unconfined
> root processes couldn't strace confined processes, etc..) -- so the
> second half of the permissions shouldn't be needed in most actual
> uses, but special circumstances may require it.


- -- 
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJWPREyAAoJEB57S2MheeWy710P/ik80QGu/cgtiVOJw2G0rtj+
izetP5Ks2hZH9SsHFPrQEQ4g6gt+74kUHFfp5ngL0eHumz9UTg5/S/ADdVLy6DLV
CjU51Zf8/GAzc1EUd7uPybiwIgSvQF5bKuoXdL9Oaru2mUelTAvcba7Z+WJaN/c6
l3M9sByCzcqDzNy2ekk+7Qxpvwb2mpxUbcJVF+X3ib1tgBTeram3oxR/X1nmGcIp
0IuBjMTsYAkmblXjeWopZBMdnivPwvgcVk5VDcIMUxfKQ9x+9Dc8NZabRmn/vYAB
+S+ttprmANrVjSyQmpp5qSLLLSAFL//Iav0jxHsA+bxJrPQ+/JAziXIQCAjxY9Og
xvQs+I4Q/pe+VfnbwXHzBm6e+IteXiRnSdrTtxw89VIs3xwV7JUYJNrjn/AV/H/X
at9+FgMYcqoPYbNNS7OC0YnNSzabiW+deyxLBImJdmNLgBD8m+w9JbmKeWdIoJxr
lh+J9BPI69Fr5D7ZJPVDTxJu7x49U6f1GWUgKZf09QsT/wI6yvM53Ub+ikCk2UH+
iw8VbIaiU3eWQczzVVBEC0vaGwfyRmLn0b2FNLqrORGn5tmbXTn+kWi1uYpXHoKS
qzM0ELxesPWwSVMyGQfngd90EAKmETB7L/fmKvTRHbrYZlEMpwcx70QD3QizAY/7
LCl/POrJIq0iLxnwTkrF
=uGG0
-----END PGP SIGNATURE-----

More information about the AppArmor mailing list