[FFe] apparmor signal and ptrace mediation

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1298611

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Adding libvirt task for if the apparmor and linux tasks are accepted. Debdiff should be applied at same time as apparmor upload.

Approving the kernel side of this. Please re-test against the -21 kernel when it spits out of the buildds.

Adam, thanks for the review and we will test that kernel. FYI, if by some chance the userspace bits aren't granted the FFe, the kernel bits are safe to keep in trusty.

This bug was fixed in the package linux - 3.13.0-21.43

---------------
linux (3.13.0-21.43) trusty; urgency=low

  [ Andy Whitcroft ]

  * SAUCE: kvm: BIOS disabled kvm support should be a warning
    - LP: #1300247
  * SAUCE: nouveau: missing outputs should be warnings
    - LP: #1300244

  [ John Johansen ]

  * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
  * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
  * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
    policy"
  * Revert "SAUCE: apparmor: allocate path lookup buffers during init"
  * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
    connection"
  * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
  * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
    - LP: #1298611

  [ Tetsuo Handa ]

  * SAUCE: kthread: Do not leave kthread_create() immediately upon SIGKILL.

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1300412
  * [Config] updateconfigs after AA patch set
  * [Config] CONFIG_ZSWAP=n, CONFIG_ZBUD=n for all arches
  * [Config] CONFIG_XILINX_LL_TEMAC=m for powerpc
  * [Config] CONFIG_WQ_POWER_EFFICIENT_DEFAULT=y for ppc64el
  * [Config] CONFIG_WLAN=y for arm64
  * [Config] CONFIG_VORTEX=m for ppc64el
  * [Config] CONFIG_WIMAX=m for ppc64el
  * [Config] CONFIG_WATCHDOG=y for ppc64el
  * [Config] CONFIG_VME_BUS=m for ppc64el
  * [Config] CONFIG_VIRT_DRIVERS=y for ppc64el
  * [Config] CONFIG_VIDEO_OUTPUT_CONTROL=m for ppc64el
  * [Config] CONFIG_VERSION_SIGNATURE="" for powerpc64-emb
  * [Config] CONFIG_UWB=m for ppc64el

  [ Upstream Kernel Changes ]

  * vhost: validate vhost_get_vq_desc return value
    - CVE-2014-0055
  * net: use kfree_skb_list() helper
  * skbuff: skb_segment: s/frag/nskb_frag/
  * skbuff: skb_segment: s/skb_frag/frag/
  * skbuff: skb_segment: s/skb/head_skb/
  * skbuff: skb_segment: s/fskb/list_skb/
  * skbuff: skb_segment: orphan frags before copying
    - CVE-2014-0131

  [ Upstream Kernel Changes ]

  * rebase to v3.13.8
 -- Tim Gardner <email address hidden> Mon, 31 Mar 2014 12:38:11 -0600

I've added tasks for lightdm and lxc. The lightdm guest session abstraction needs to be updated for signal and ptrace mediation and I'm currently working on that. In previous IRC discussions, stgraber mentioned that he had a handle on what was needed for the lxc policy so I've assigned him but I can obviously help out as needed.

Stéphane, all that is needed is to add the following to abstractions/lxc/container-base and abstractions/lxc/start-container:
  signal,
  ptrace,

Obviously, confinement could be more interesting, but like with dbus we should err on the side of caution and just let these through. Adding this rules gives us equivalent confinement to lxc on 13.10.

Note: I only did rudimentary testing: create, ls, start, shutdown, destroy.

Here is a debdiff for lxc. It is tested on trusty. To ease backporting, I updated debian/rules for strip out the signal and ptrace rules for Ubuntu releases earlier than 14.04 (using the same method as for stripping out dbus for earlier than 13.10), but could not test earlier releases because libcgmanager-dev does not exist on them.

Before upgrading lxc, there were many ptrace and signal denials when using containers. After upgrading, creating, starting, using, stopping, destroying all works fine with no denials.

The LXC change looks good, it's in line with what I was planning to push upstream. Feel free to upload that directly to the archive and I'll do a similar upstream change right around the same time so our PPA users don't break, then shortly after that will tag 1.0.3 and get that into trusty so we can drop the patch.

The apparmor-easyprof-ubuntu change is not strictly needed in this upload since it is primarily used for Touch and the Touch kernels don't yet have the updated patchset. However, it could affect people testing click packages on the desktop and it is a change we need to make anyway.

Here's the lightdm debdiff to allow the guest session to start with AppArmor signal and ptrace mediation. It is tested on Trusty amd64.

Here's an updated libvirt debdiff. I rebase Jamie's debdiff on top of the libvirt that was uploaded to the archive yesterday.

Here's the apparmor debdiff. The testing performed in described in the bug description. Let me know if there are any questions.

FYI, retested all the packages in the PPA on desktop/server for TestPlan with and without the kernel that supports signal/ptrace mediation and everything passes (barring expected test-libvirt.py errors unrelated to apparmor).

The debdiff attached for apparmor looks good, aside from missing some Breaks: on the old versions of the packages that need to go in at the same time (because their policies will cease to be sufficient once ptrace/signal mediation support lands). Jamie has pushed the added Breaks; once they're available, I'm ok with this going in.

This bug was fixed in the package lightdm - 1.9.14-0ubuntu2

---------------
lightdm (1.9.14-0ubuntu2) trusty; urgency=medium

  * debian/patches/06_guest_signal_and_ptrace_aa_rules.patch: Grant
    permission for guest session processes to signal and ptrace each
    other (LP: #1298611)
  * debian/patches/07_guest_proc_pid_stat_aa_rule.patch: Grant permission for
    guest session processes to read /proc/<PID>/stat. This prevents AppArmor
    denial messages caused by bamfdaemon and common utilities such as ps and
    killall. (LP: #1301625)
 -- Tyler Hicks <email address hidden> Thu, 03 Apr 2014 02:48:51 -0500

This bug was fixed in the package libvirt - 1.2.2-0ubuntu9

---------------
libvirt (1.2.2-0ubuntu9) trusty; urgency=medium

  [ Jamie Strandboge ]
  * updates for AppArmor signals and ptrace mediation (LP: #1298611)
    - debian/apparmor/libvirt-qemu: allow guests to receive signals from and
      be tracedby libvirtd (additional signal and ptrace rules come from the
      AppArmor base abstraction)
    - debian/apparmor/usr.sbin.libvirtd:
      + grant bare signal and ptrace rule
      + grant dbus on the system bus (should have been added in 13.10)
 -- Tyler Hicks <email address hidden> Thu, 03 Apr 2014 02:09:53 -0500

This bug was fixed in the package lxc - 1.0.2-0ubuntu2

---------------
lxc (1.0.2-0ubuntu2) trusty; urgency=medium

  * updates for AppArmor signal and ptrace mediation (LP: #1298611)
    - debian/patches/apparmor-signal-ptrace.patch: add signal and ptrace rules
      to abstractions/container-base and abstractions/start-container
    - debian/rules: remove signal and ptrace rules for Ubuntu releases earlier
      than 14.04 LTS
 -- Jamie Strandboge <email address hidden> Thu, 03 Apr 2014 07:06:56 -0500

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5

---------------
apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium

  * debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin,
    lightdm and apparmor-easyprof-ubuntu

apparmor (2.8.95~2430-0ubuntu4) trusty; urgency=medium

  [ John Johansen, Steve Beattie ]
  * Add userspace support for AppArmor signals and ptrace mediation
    (LP: #1298611)
    + debian/patches/mediate-signals.patch,
      debian/patches/change-signal-syntax.patch: Parse signal rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/change-ptrace-syntax.patch,
      debian/patches/mediate-ptrace.patch: Parse ptrace rules with
      apparmor_parser. See the apparmor.d(5) man page for syntax details.
    + debian/patches/test-signal-rules.patch,
      debian/patches/test-ptrace-rules.patch,
      debian/patches/update-tests-for-new-semantics.patch: Update existing
      tests and add new tests for signal and ptrace mediation
    + debian/patches/fix-garbage-in-preprocessor-output.patch: Fix bug causing
      apparmor_parser preprocessor output to contain garbage after include
      statements
    + debian/patches/fix-double-comma-in-preprocessor-output.patch: Fix bug
      causing apparmor_parser preprocessor output to contain double commas
      after some rules
    + debian/patches/symtab-tests-and-seenlist-bug.patch,
      debian/patches/add-profile-name-variable.patch: Add ${profile_name}
      variable for use in profiles when rules need to specify the current
      profile's name. This is useful for signal and ptrace rules that specify
    + debian/patches/fix-names-treated-as-condlistid.patch: Fix
      apparmor_parser bug that caused mount and dbus rules to fail for sets of
      values

  [ Jamie Strandboge ]
  * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch:
    Adjust the base abstraction for signals and ptrace mediation. Profiles
    that use the base abstraction can deny any of the granted permissions to
    achieve tighter confinement.
  * debian/patches/manpage-signal-ptrace.patch: Update the apparmor.d man
    page to document signal rules, ptrace rules, and variables for use in
    AppArmor profiles
  * debian/patches/dnsmasq-libvirtd-signal-ptrace.patch: Update the dnsmasq
    profile to allow libvirtd to send signals to and ptrace read the dnsmasq
    process
  * debian/patches/update-chromium-browser.patch: Adjust the chromium-browser
    profile for permissions needed in newer chromium-browser versions and add
    the rules needed for AppArmor ptrace mediation

  [ Tyler Hicks ]
  * Add new rule type support to aa.py to fix tracebacks when using the Python
    utilities in apparmor-utils on systems with AppArmor profiles containing
    previously unsupported rule types
    - debian/patches/python-utils-file-support.patch: Support path rules
      containing the "file" prefix (LP: #1295346)
    - debian/patches/python-utils-signal-support.patch: Parse and write signal
      rules (LP: #1300316)
    - debian/patches/python-utils-ptrace-support.patch: Parse and write ptrace
      rules (LP: #1300317)...

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.1.14

---------------
apparmor-easyprof-ubuntu (1.1.14) trusty; urgency=medium

  * 1.1/webview: update for ptrace and signal mediation (LP: #1298611)
  * debian/control: Depends on apparmor >= 2.8.95~2430-0ubuntu4
 -- Jamie Strandboge <email address hidden> Thu, 03 Apr 2014 15:19:23 -0500

Did these changes end up in Precise? I see no sensible way to tell AppArmor to allow a ptrace. The parser is totally confused by this.

Ken,

The ptrace mediation in 12.04 LTS is very rudimentary; if you add capability sys_ptrace, to a profile then processes running in that profile are allowed to trace any process the discretionary access controls allow. The fine-grained permissions introduced in 14.04 LTS require both the new kernel and userspace.

I tested that the apparmor 2.7.102-0ubuntu3.10 package with the linux-generic-lts-trusty 3.13.0.49.43 package will allow ptrace using the capability sys_ptrace, permission via a strace profile:

# cat usr.bin.strace
# Last Modified: Sat Apr 11 03:38:35 2015
#include <tunables/global>

/usr/bin/strace {
  #include <abstractions/base>

  capability sys_ptrace,

  /bin/ls rix,
  /home/*/ r,
  /proc/filesystems r,
  /usr/bin/strace mr,

}

I tested both strace /bin/ls and strace -p 1.

Thanks

Thanks for clearing that up, Seth!