[apparmor] Pidgin, 4.14, and App Armor Oops.
Zephaniah E. Loss-Cutler-Hull
warp-spam_kernel at aehallh.com
Tue Nov 21 20:35:30 UTC 2017
On 11/21/2017 09:49 AM, John Johansen wrote:
> On 11/21/2017 12:06 AM, Zephaniah E. Loss-Cutler-Hull wrote:
>> Alright, trying again, this time with my mail settings to actually send
>> as plain text, and with some more detail.
>>
>> I am running Ubuntu 16.04, with a mainline 4.14 kernel.
>>
>
> So this is a new one, I just (minutes appart) got another report of a similar
> oops that looks very similar.
>
> The detail with pidgin should help track this down. Can you send me your
> pidgin profile?
I can, but how about a much smaller test case?
The short version, applications running under an app armor profile can
no longer send signals.
sudo cp /bin/kill /tmp/
Make a new profile:
/etc/apparmor.d/tmp.kill (Included, very very basic)
Try and run it:
~$ /tmp/kill -0 19087
zsh: killed /tmp/kill -0 19087
Other signals such as SIGHUP trigger the same impact.
The dmesg output is pretty much the same:
[56817.272932] /tmp/kill
[56817.274681] BUG: unable to handle kernel paging request at
ffffffff0eee3bc0
[56817.274692] IP: audit_signal_cb+0x6c/0xe0
[56817.274694] PGD 1a640a067 P4D 1a640a067 PUD 0
[56817.274699] Oops: 0000 [#21] PREEMPT SMP
[56817.274702] Modules linked in: esp4 xfrm4_mode_tunnel ufs qnx4
hfsplus hfs minix ntfs msdos jfs xfs ext2 fuse rfcomm bnep usblp
uvcvideo btusb btrtl btbcm btintel bluetooth ecdh_generic
ip6table_filter ip6_tables xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4
xt_conntrack nf_conntrack iptable_filter ip_tables x_tables intel_rapl
joydev wmi_bmof serio_raw iwldvm iwlwifi shpchp kvm_intel kvm irqbypass
autofs4 algif_skcipher nls_iso8859_1 nls_cp437 crc32_pclmul
ghash_clmulni_intel
[56817.274739] CPU: 2 PID: 13891 Comm: kill Tainted: G D
4.14.0-f1-dirty #135
[56817.274741] Hardware name: Hewlett-Packard HP EliteBook Folio
9470m/18DF, BIOS 68IBD Ver. F.62 10/22/2015
[56817.274743] task: ffff9c78c859d940 task.stack: ffffa09b03658000
[56817.274745] RIP: 0010:audit_signal_cb+0x6c/0xe0
[56817.274747] RSP: 0018:ffffa09b0365bc08 EFLAGS: 00010292
[56817.274750] RAX: ffffa09b0365bd60 RBX: ffff9c7ae6d7bd20 RCX:
0000000000000000
[56817.274752] RDX: ffffffffee012290 RSI: 0000000000000006 RDI:
ffff9c77f0d73100
[56817.274754] RBP: ffffa09b0365bd40 R08: 000000000000004b R09:
ffffa09b0365bc44
[56817.274755] R10: ffffa09b0365bcb8 R11: ffff9c76ee93206e R12:
ffffa09b0365bd40
[56817.274757] R13: ffffffff9e447be0 R14: ffff9c78c859d940 R15:
0000000000000001
[56817.274760] FS: 00007f13674a2880(0000) GS:ffff9c7afea80000(0000)
knlGS:0000000000000000
[56817.274761] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[56817.274763] CR2: ffffffff0eee3bc0 CR3: 0000000112320004 CR4:
00000000001606e0
[56817.274765] Call Trace:
[56817.274773] common_lsm_audit+0x1da/0x780
[56817.274778] ? walk_component+0x38/0x320
[56817.274780] ? generic_permission+0x10b/0x180
[56817.274784] ? aa_check_perms+0xcd/0xe0
[56817.274786] aa_check_perms+0xcd/0xe0
[56817.274789] profile_signal_perm.part.0+0x90/0xa0
[56817.274792] aa_may_signal+0x16e/0x1b0
[56817.274798] apparmor_task_kill+0x51/0x120
[56817.274802] security_task_kill+0x44/0x60
[56817.274806] group_send_sig_info+0x25/0x60
[56817.274809] kill_pid_info+0x36/0x60
[56817.274812] SYSC_kill+0xdb/0x180
[56817.274817] ? __alloc_fd+0xa9/0x170
[56817.274821] ? preempt_count_add+0x81/0xa0
[56817.274824] ? _raw_spin_lock+0x13/0x30
[56817.274827] ? preempt_count_sub+0x92/0xd0
[56817.274831] ? do_sys_open+0x188/0x1f0
[56817.274834] entry_SYSCALL_64_fastpath+0x13/0x94
[56817.274837] RIP: 0033:0x7f1366d89767
[56817.274839] RSP: 002b:00007fffebd72dc8 EFLAGS: 00000202 ORIG_RAX:
000000000000003e
[56817.274842] RAX: ffffffffffffffda RBX: 000000000084e0a0 RCX:
00007f1366d89767
[56817.274843] RDX: 00007fffebd747dc RSI: 0000000000000000 RDI:
0000000000003514
[56817.274845] RBP: 0000000000000000 R08: 0000000000000000 R09:
1999999999999999
[56817.274847] R10: 000000000000022d R11: 0000000000000202 R12:
0000000000000000
[56817.274849] R13: 000000000000002d R14: 000000000084f5a0 R15:
000000000084e0a0
[56817.274852] Code: 48 8b 55 18 48 89 df 41 b8 20 00 08 01 5b 5d 48 8b
42 10 48 8b 52 30 48 63 48 4c 48 8b 44 c8 48 31 c9 48 8b 70 38 e9 f4 fd
00 00 <48> 8b 14 d5 40 27 e5 9e 48 c7 c6 7d 07 19 9f 48 89 df e8 fd 35
[56817.274893] RIP: audit_signal_cb+0x6c/0xe0 RSP: ffffa09b0365bc08
[56817.274894] CR2: ffffffff0eee3bc0
[56817.274897] ---[ end trace 514af9529297f1b7 ]---
Again, this is a Ubuntu 16.04 user space.
Regards,
Zephaniah E. Loss-Cutler-Hull.
-------------- next part --------------
# vim:syntax=apparmor
#include <tunables/global>
/tmp/kill {
#include <abstractions/base>
}
-------------- next part --------------
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# (Note that the ldd profile has inlined this file; if you make
# modifications here, please consider including them in the ldd
# profile as well.)
# The __canary_death_handler function writes a time-stamped log
# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
# and localisations of date should be available EVERYWHERE, so
# StackGuard, FormatGuard, etc., alerts can be properly logged.
/dev/log w,
/dev/random r,
/dev/urandom r,
/etc/locale/** r,
/etc/locale.alias r,
/etc/localtime r,
/etc/writable/localtime r,
/usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
/usr/share/locale/** r,
/usr/share/**/locale/** r,
/usr/share/zoneinfo/ r,
/usr/share/zoneinfo/** r,
/usr/share/X11/locale/** r,
/{,var/}run/systemd/journal/dev-log w,
/usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr,
/usr/lib{,32,64}/gconv/gconv-modules* mr,
/usr/lib/@{multiarch}/gconv/*.so mr,
/usr/lib/@{multiarch}/gconv/gconv-modules* mr,
# used by glibc when binding to ephemeral ports
/etc/bindresvport.blacklist r,
# ld.so.cache and ld are used to load shared libraries; they are best
# available everywhere
/etc/ld.so.cache mr,
/lib{,32,64}/ld{,32,64}-*.so mrix,
/lib{,32,64}/**/ld{,32,64}-*.so mrix,
/lib/@{multiarch}/ld{,32,64}-*.so mrix,
/lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
/opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
# we might as well allow everything to use common libraries
/lib{,32,64}/** r,
/lib{,32,64}/lib*.so* mr,
/lib{,32,64}/**/lib*.so* mr,
/lib/@{multiarch}/** r,
/lib/@{multiarch}/lib*.so* mr,
/lib/@{multiarch}/**/lib*.so* mr,
/usr/lib{,32,64}/** r,
/usr/lib{,32,64}/*.so* mr,
/usr/lib{,32,64}/**/lib*.so* mr,
/usr/lib/@{multiarch}/** r,
/usr/lib/@{multiarch}/lib*.so* mr,
/usr/lib/@{multiarch}/**/lib*.so* mr,
/lib/tls/i686/{cmov,nosegneg}/lib*.so* mr,
/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so* mr,
# /dev/null is pretty harmless and frequently used
/dev/null rw,
# as is /dev/zero
/dev/zero rw,
# recent glibc uses /dev/full in preference to /dev/null for programs
# that don't have open fds at exec()
/dev/full rw,
# Sometimes used to determine kernel/user interfaces to use
@{PROC}/sys/kernel/version r,
# Depending on which glibc routine uses this file, base may not be the
# best place -- but many profiles require it, and it is quite harmless.
@{PROC}/sys/kernel/ngroups_max r,
# glibc's sysconf(3) routine to determine free memory, etc
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/cpuinfo r,
/sys/devices/system/cpu/online r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/maps r,
# libgcrypt reads some flags from /proc
@{PROC}/sys/crypto/* r,
# some applications will display license information
/usr/share/common-licenses/** r,
# glibc statvfs
@{PROC}/filesystems r,
# glibc malloc (man 5 proc)
@{PROC}/sys/vm/overcommit_memory r,
# Allow determining the highest valid capability of the running kernel
@{PROC}/sys/kernel/cap_last_cap r,
# Allow other processes to read our /proc entries, futexes, perf tracing and
# kcmp for now (they will need 'read' in the first place). Administrators can
# override with:
# deny ptrace (readby) ...
ptrace (readby),
# Allow other processes to trace us by default (they will need 'trace' in
# the first place). Administrators can override with:
# deny ptrace (tracedby) ...
ptrace (tracedby),
# Allow us to ptrace read ourselves
ptrace (read) peer=@{profile_name},
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow us to signal ourselves
signal peer=@{profile_name},
# Checking for PID existence is quite common so add it by default for now
signal (receive, send) set=("exists"),
# Allow us to create and use abstract and anonymous sockets
unix peer=(label=@{profile_name}),
# Allow unconfined processes to us via unix sockets
unix (receive) peer=(label=unconfined),
# Allow us to create abstract and anonymous sockets
unix (create),
# Allow us to getattr, getopt, setop and shutdown on unix sockets
unix (getattr, getopt, setopt, shutdown),
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
# filesystems generally. This does not appreciably decrease security with
# Ubuntu profiles because the user is expected to have access to files owned
# by him/her. Exceptions to this are explicit in the profiles. While this rule
# grants access to those exceptions, the intended privacy is maintained due to
# the encrypted contents of the files in this directory. Files in this
# directory will also use filename encryption by default, so the files are
# further protected. Also, with the use of 'owner', this rule properly
# prevents access to the files from processes running under a different uid.
# encrypted ~/.Private and old-style encrypted $HOME
owner @{HOME}/.Private/** mrixwlk,
# new-style encrypted $HOME
owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171121/f464b603/attachment.sig>
More information about the AppArmor
mailing list