[apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

John Johansen john.johansen at canonical.com
Sat Jun 1 00:03:56 UTC 2019 

On 5/31/19 2:59 PM, Ian wrote:
> On Fri, 31 May 2019, Jamie wrote:
>> On Fri, 31 May 2019, Ian wrote:
>>
>>>/The only thing outstanding is some trouble I run into after the initramfs />>/chroot transition but before the apparmor service starts: />>//>>/May 31 12:10:55 1546-w-dev audit[5162]: AVC apparmor="ALLOWED" />>/operation="exec" info="profile transition not found" error=-13 />>/profile="init-sys />>/temd" name="/usr/bin/unshare" pid=5162 comm="(spawn)" />>/requested_mask="x" denied_mask="x" fsuid=0 ouid=0 />>/target="/usr/bin/unshare" />>/May 31 12:10:54 1546-w-dev audit[5004]: AVC apparmor="ALLOWED" />>/operation="exec" info="profile transition not found" error=-13 />>/profile="init-sys />>/temd" name="/usr/bin/unshare" pid=5004 comm="(spawn)" />>/requested_mask="x" denied_mask="x" fsuid=0 ouid=0 />>/target="/usr/bin/unshare" />
>>Notice it is /usr/bin/unshare here, but you mention below that
>>'/usr/sbin/unshare' exists, but what you pasted looks correct. Is this a typo
>>in the email or somewhere else?
>>
>>>/The /usr/sbin/unshare profile exists: />>//>>/root at 1546-w-dev <https://lists.ubuntu.com/mailman/listinfo/apparmor>:/etc/apparmor.d# cat usr.bin.unshare />>/profile usr.bin.unshare /usr/bin/unshare />>/flags=(complain,attach_disconnected) { />>/    #include <local/whitelist> />>/} /
> 
> Jamie,
> 
> That was a typo in the email. There is no /usr/sbin/unshare executable or profile.
> 
> After everything loads, if I restart the "lvm2-pvscan at 8:1" service that I think is responsible for those errors during boot (systemctl shows it as failed), it all works correctly.
> 
> ---
> 
> 
> On a different topic, when I attempted to run 'apt update', this happens:
> 
>     type=AVC msg=audit(1559334318.936:8850): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11011 comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 target="usr.bin.apt_key"
>     type=AVC msg=audit(1559334319.212:8851): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11013 comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 target="usr.bin.apt_key"
>     type=AVC msg=audit(1559334319.228:8852): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11015 comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 target="usr.bin.apt_key"
>     type=AVC msg=audit(1559334319.332:8853): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11017 comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0 target="usr.bin.apt_key"
> 
> 
>     W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://us.archive.ubuntu.com/ubuntu bionic InRelease: Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_bionic_InRelease
>     W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease: Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-updates_InRelease
>     W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.ubuntu.com/ubuntu bionic-security InRelease: Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/security.ubuntu.com_ubuntu_dists_bionic-security_InRelease
>     W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease: Couldn't execute /usr/bin/apt-key to check /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-backports_InRelease
> 
> 
> It's not clear to me why it thinks I would be requesting new privs when all of the profiles I've created have the exact same priv requests.  It's also odd that apparmor is stating "ALLOWED" but then still blocking the execution?
> 

Because when no-new-privs landed it was mandated that the LSMs not over ride it. No new-privs is not part of apparmor but the broader kernel, and was provided as a way to for a task to lockdown privileges to the current set.

prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);

It was added with seccomp (3.5) so that the task could do setup and then lock its sandbox/security env down. At the time the LSMs were told it should apply to them as well. With seccomp use expanding and systemd now setting it this has unfortunately caused several problems for LSMs and selinux successfully added a setprivs ability that allows them to selectively override. AppArmor does currently allow transitions under no-new-privs but only when the transition is provable a subset of the tasks confinement (3.5 - 4.12 unconfined is allowed to transition to a profile, 4.13 - 4.16 is limited to strict subset of current confinement, basically you can extend a profile stack, 4.17 - 5.2 to a subset of confinement at the time nnp is set). We do have plans to add our own ability to have a permission to override no-new-privs but that has not landed upstream yet.


> Running pstree at the same time as apt shows the following order: systemd, sshd, sshd, sshd, bash, sudo, bash, apt, gpgv (and http, http), gpgv
> 
>     root at 1546-w-dev:/etc/apparmor.d# cat usr.lib.apt.methods.gpgv
>     profile usr.lib.apt.methods.gpgv /usr/lib/apt/methods/gpgv flags=(complain) {
>         #include <local/whitelist>
>     }
> 
> 
>     root at 1546-w-dev:/etc/apparmor.d# cat usr.bin.apt_key
>     profile usr.bin.apt_key /usr/bin/apt-key flags=(complain) {
>         #include <local/whitelist>
>     }
> 
> 
> Have I ran into this?  https://lists.ubuntu.com/archives/apparmor/2018-November/011846.html
> 

unfortunately, yes. I can point you at a test kernel for the nnp override but, I will need
to get up a userspace that can work with it. I'll see what I can do this weekend.

>     root at 1546-w-dev:/etc/apparmor.d# uname -r
>     4.15.0-50-generic
> 
> I see this problem with 'man' too.
> 
> I'm sooo close to getting this working...
> 
>

More information about the AppArmor mailing list