Ubuntu
sssd package

missing lines in apparmor config for sssd

Bug #1999190 reported by Kartik Subbarao on 2022-12-08

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	sssd (Ubuntu)	Fix Released	Undecided	Michał Małoszewski
	Jammy	Confirmed	Low	Unassigned

Bug Description

[Impact]

* Users of sssd reported extraneous ALLOWED messages from apparmor in /var/log/syslog while trying to login to the server via ssh.

* This crash is caused by the lack of some entries in apparmor-profile file.
The fix is to add:
- #include <abstractions/openssl>
- @{PROC}/[0-9]*/cmdline r,
- /var/lib/sss/mc/* rwk,
- /{,var/}run/systemd/users/* r,
in the right order to the apparmor-profile file.

[Test Plan]

lxc launch ubuntu:22.04 test1
lxc shell test1

1. # apt install slapd ldap-utils -y
2. # dpkg-reconfigure slapd
3. # apt install sssd
4. # vim /etc/ssh/sssd.conf
5. Enter configuration that fits to your system.
6. # systemctl restart sssd
7. # systemctl enable sssd
8. Exit the container.
9. SSH into that container.
10. Check /var/log/syslog.

Example of failed output:

Oct 16 18:55:31 ubuntu2204.example.com kernel: [171965.873242] audit: type=1400 audit(1673538673.812:1220): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/12345" pid=712698 comm="sssd_pam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Dec 16 18:55:31 ubuntu2204.example.com kernel: [174187.653158] audit: type=1400 audit(1679438151.423:1221): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/770129/cmdline" pid=712735 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Example of successful output:

No apparmor messages like these present.

[Where problems could occur]

* @{PROC}/[0-9]*/cmdline r, - the line that has been added allows SSSD processes to read the /proc/[pid]/cmdline files for other processes. Reading it provides access to the cmdline arguments of other processes, but it might be the issue in the future that this access is not used appropriately and exposes sensitive information, however it is unlike.

* There is additional possible regression related to the:
-/{,var/}run/systemd/users/* r,
there might be regression related to user sessions managed by systemd.

-------------------------original bug report------------------------------------

I noticed these kinds of extraneous ALLOWED messages from apparmor in /var/log/syslog:

=====
Dec 8 15:24:33 ubuntu2204.example.com kernel: [171969.873642] audit: type=1400 audit(1670538273.822:1820): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/12345" pid=727740 comm="sssd_pam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Dec 8 15:24:51 ubuntu2204.example.com kernel: [171987.659148] audit: type=1400 audit(1670538291.605:1821): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/770129/cmdline" pid=727739 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
=====

As a workaround to silence these, I added the following lines to /etc/apparmor.d/local/usr.sbin/sssd:

@{PROC}/[0-9]*/cmdline r,
/run/systemd/users/* r,

I'm guessing the proper fix is to add these lines to /etc/apparmor.d/usr.sbin.sssd in the package.

See original description

Tags:

Related branches

~michal-maloszewski99/ubuntu/+source/sssd:sssd-jammy-missing-lines-in-apparmor

Ready for review for merging into ubuntu/+source/sssd:ubuntu/jammy-devel

Lucas Kanashiro (community): Needs Information on 2023-10-19

git-ubuntu import: Pending requested 2023-10-06

~michal-maloszewski99/ubuntu/+source/sssd:ubuntu/devel

Merged into ubuntu/+source/sssd:ubuntu/devel at revision 4c28f761e0bfead0b1e591a980761d2149a3a931

git-ubuntu bot: Approve on 2023-10-05

Sergio Durigan Junior (community): Approve on 2023-10-05

Canonical Server Reporter: Pending requested 2023-10-05

Revision history for this message

Kartik Subbarao (subbarao) wrote on 2022-12-08:

This is with Ubuntu 22.04.

Revision history for this message

Lena Voytek (lvoytek) wrote on 2022-12-09:

Hello,

Thank you for the bug report. Your fix for suppressing the apparmor messages looks good. How often did these messages come up for you beforehand? Also did you have any other issues alongside the logs?

Thanks

Changed in sssd (Ubuntu Jammy):
status:	New → Confirmed

Revision history for this message

Kartik Subbarao (subbarao) wrote on 2022-12-09:

I saw these messages whenever I tried to login to that server via ssh, but I didn't run into any issues with the functionality. There is a symlink to sssd's apparmor config in /etc/apparmor.d/force-complain, so I'm guessing that's why it's being verbose. It's pointing out requests that aren't explicitly covered by the apparmor config.

Revision history for this message

Lena Voytek (lvoytek) wrote on 2022-12-12 (last edit on 2022-12-12):

Thanks for the response. I agree that this is a valid bug, but may be difficult to add to 22.04 since it only causes extra logs to show up. I'll mark it as low priority for now. For the development release, however, I think this would be a good thing to make sure to fix.

Changed in sssd (Ubuntu Jammy):
importance:	Undecided → Wishlist
importance:	Wishlist → Low

Revision history for this message

Kartik Subbarao (subbarao) wrote on 2022-12-12:

Understood, thanks.

Revision history for this message

Kartik Subbarao (subbarao) wrote on 2022-12-14:

Found a few more that I'm working around as follows:

/etc/ssl/openssl.cnf r,
/var/lib/sss/mc/* rwk,

[...] apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/passwd" pid=10407 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[...] apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=10407 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[...] apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/group" pid=10407 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[...] apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/initgroups" pid=10407 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0

Revision history for this message

Alex Murray (alexmurray) wrote on 2022-12-15:

> /etc/ssl/openssl.cnf r,

Instead you should probably just add

#include <abstractions/openssl>

Revision history for this message

Kartik Subbarao (subbarao) wrote on 2022-12-15:

Cool, thanks for the tip.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-03-28:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu):
status:	New → Confirmed

Michał Małoszewski (michal-maloszewski99) on 2023-09-19

Changed in sssd (Ubuntu):
assignee:	nobody → Michał Małoszewski (michal-maloszewski99)
Changed in sssd (Ubuntu Jammy):
assignee:	nobody → Michał Małoszewski (michal-maloszewski99)

Michał Małoszewski (michal-maloszewski99) on 2023-10-04

tags:

added: server-todo

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-10-05:

#10

This bug was fixed in the package sssd - 2.9.1-2ubuntu2

---------------
sssd (2.9.1-2ubuntu2) mantic; urgency=medium

  * d/apparmor-profile: Add some entries to apparmor-profile file
    to get rid of the extraneous ALLOWED messages visible in the
    /var/log/syslog. (LP: #1999190)

-- Michal Maloszewski <email address hidden> Wed, 04 Oct 2023 16:58:26 +0200

Changed in sssd (Ubuntu):
status:	Confirmed → Fix Released

Michał Małoszewski (michal-maloszewski99) on 2023-10-09

description:

updated

Revision history for this message

Michał Małoszewski (michal-maloszewski99) wrote on 2023-10-12:

#11

Hello @Kartik! Thanks for your report!

I am trying to figure out the test plan for it, but I am struggling to do so.
Could you please outline in more detail the steps that you performed to bump into that issue?

Thank you in advance,
Michal

Revision history for this message

Kartik Subbarao (subbarao) wrote on 2023-10-12:

#12

Hi Michal,

I configured sssd on the system with a local LDAP server. Then I logged into the server using ssh, and I saw those log messages. Here is the kind of sssd.conf I'm using, although I don't think the specific LDAP config likely makes much of a difference for this issue:

=====

[sssd]
config_file_version = 2
domains = dir1

[nss]
filter_users = root
filter_groups = root

[pam]
offline_credentials_expiration = 90

[domain/dir1]
id_provider = ldap
auth_provider = ldap
sudo_provider = none
ldap_schema = rfc2307bis
ldap_uri = ldap://localhost, ldap://ldap.example.com
ldap_id_use_start_tls = true
ldap_search_base = dc=example,dc=com
ldap_user_name = exampleUnixUsername
cache_credentials = true
entry_cache_timeout = 604800
account_cache_expiration = 90

Revision history for this message

Michał Małoszewski (michal-maloszewski99) wrote on 2023-10-13:

#13

Hi!

Thank you for your response. Now it will be much easier for me to prepare the Test Plan :)

Michał Małoszewski (michal-maloszewski99) on 2023-10-17

description:

updated

Robie Basak (racb) on 2023-10-18

Changed in sssd (Ubuntu Jammy):
assignee:	Michał Małoszewski (michal-maloszewski99) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntusssd package

missing lines in apparmor config for sssd

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
sssd package