[apparmor] base abstraction for writing to systemd dev-log doesn't work

Seth Arnold seth.arnold at canonical.com
Mon Jul 25 22:15:50 UTC 2016 

On Mon, Jul 25, 2016 at 02:26:11PM +0100, Mark Wadham wrote:
> [130842.572874] audit: type=1400 audit(1469436340.177:2400):
> apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup -
> disconnected path" error=-13 profile="/usr/sbin/dovecot"
> name="run/systemd/journal/dev-log" pid=23971 comm="dovecot"
> requested_mask="w" denied_mask="w" fsuid=0 ouid=0
> 
> The dovecot profiles all include the base abstractions
> (/etc/apparmor.d/abstractions/base) which includes this:
> 
>   /{,var/}run/systemd/journal/dev-log w,

Hi Mark,

This is probably due to running in a chroot or a private filesystem
namespace of some sort -- the log socket came from 'outside' the process's
namespace, so the name doesn't actually exist in the process's view. The
current best answer is to add the profile flag 'attach_disconnected'
to the profile:

/usr/sbin/dovecot (flags=attach_disconnected) { ... }

This will cause these detached names to be attached at /.

> Also while I'm here, if you have a wrapper script around an application in
> order to ensure it restarts if it dies, is there a way to configure apparmor
> so that /bin/bash is allowed for the wrapper script but not for the process
> it's wrapping?

This one is happier news -- there's a few different ways to do this.

- You could leave the wrapper script unconfined.
- You could have the wrapper script in one profile and the application in
  another profile
- You could use systemd unit files to manage application lifecycles for
  you, and only worry about the application
- You could use a single profile for the wrapper, and a 'child profile'
  for the application.

Of these options, I prefer the last two. For systemd in place of a
hand-written wrapper, see:
https://www.freedesktop.org/software/systemd/man/systemd.service.html

For the child profile option, it'd look something like this untested
profile:

#include <tunables/global>
/opt/foo/foo.sh {
  #include <abstractions/base>
  /bin/bash ix,
  /opt/foo/setup.sh ix,
  /opt/foo/teardown.sh ix,
  /opt/foo/bin/foo_server cx -> foo_server,
  /usr/bin/gawk ix,
  /bin/sed ix,
  # ...

  profile foo_server {
    #include <abstractions/base>
    /opt/foo/bin/foo_server ix,
    /opt/foo/data/** rwlk,
  }
}

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160725/4052c866/attachment.pgp>

More information about the AppArmor mailing list