[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
This bug was fixed in the package apparmor - 4.0.0-beta3-0ubuntu2 --- apparmor (4.0.0-beta3-0ubuntu2) noble; urgency=medium * d/apparmor.install - install new profiles - geary - goldendict - kchmviewer - loupe - notepadqq - pageedit - privacybrowser - qmapshack - qutebrowser - rssguard - scide - tuxedo-control-center - unix-chkpwd apparmor (4.0.0-beta3-0ubuntu1) noble; urgency=medium * New upstream release. (LP: #2058329, LP: #2056747, LP: #2056739, LP: #2046844) * Refresh patches - d/p/u/samba-systemd-interaction.patch - d/p/u/parser-add-support-for-prompting.patch * Drop patches which have now been applied upstream - ubuntu/parser-support-uin128_t-key-as-a-pair-of-uint64_t-nu.patch - ubuntu/Minor-improvements-for-MountRule.patch * Add patches from upstream that are post Beta3 and will be in Beta4 - d/p/u/parser-fix-issues-appointed-by-coverity.patch - d/p/u/profiles-add-unconfined-profile-for-tuxedo-control-c.patch (LP: #2046844) -- John Johansen Mon, 18 Mar 2024 18:34:14 -0700 ** Changed in: apparmor (Ubuntu Noble) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
FYI the fix and a related cleanup are merged into upstream apparmor and I'd expect the next upload to Ubuntu to then fix this issue. @Martin Thanks for the extra info for completeness, I assume we might find even more if we spend more time (but tat would provide no extra gain). @John Up to you then, I'll assign the apparmor task to you to represent that I'm not driving that part ** Changed in: chrony (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
Yes, will do I added both reference you provided to the upstream merge commit and all fixes/closes references will be going into the changelog. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
** Changed in: chrony (Ubuntu) Status: New => Won't Fix ** Changed in: gnutls28 (Ubuntu) Status: New => Won't Fix ** Changed in: libvirt (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
FYI - submitted as https://gitlab.com/apparmor/apparmor/-/merge_requests/1178 @John if merged, would you mind adding a bug-ref to the Ubuntu upload changelog so this bug 2056739 closes? Given that there seems to be some agreement to fix this in apparmor, I'll set the other tasks to "Won't Fix" ** Changed in: libvirt (Ubuntu Noble) Status: New => Won't Fix ** Changed in: gnutls28 (Ubuntu Noble) Status: New => Won't Fix ** Changed in: chrony (Ubuntu Noble) Status: New => Won't Fix ** Changed in: apparmor (Ubuntu Noble) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/apparmor/+git/apparmor/+merge/462142 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
Hey, I think everything in the gnutls/ directory should be allowed: there can be profiles with arbitrary names (or at least alnum I guess) which define priority/configuration strings that can be used by gnutls applications. I'm not aware of anything else that typically goes there but I haven't checked. I'll have another look today. More generally, there can be the same issue for openssl which has its own abstraction file but isn't included by default AFAIU. A similar issue could apply to ssl_certs since some apps/libraries ship their own cert bundle and could function despite not having access to the system store (I'm looking at you python). I don't know what would be a typical behavior here but I'm pretty sure that the whole range of possible behavior exists in the wild. I'm wondering if I understood the current rules fine because based on my understanding, I would have expected warnings for these too. A noteworthy change is https://bugs.launchpad.net/ubuntu/+source/nss/+bug/2016303 : it would access to /etc/nss . I don't know if NSS silently ignores inaccessible system-wide configuration or not. You might want to include it already. I think all these libraries should probably fail on EPERM. Probably 0 change upstreams accept such a change if it's needed however. :P -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
Suggestion would be something like: --- /etc/apparmor.d/abstractions/crypto.orig2024-03-11 11:05:24.027597234 + +++ /etc/apparmor.d/abstractions/crypto 2024-03-11 11:06:12.035895701 + @@ -24,4 +24,7 @@ /etc/crypto-policies/*/*.txt r, /usr/share/crypto-policies/*/*.txt r, + # Global gnutls config + @{etc_ro}/gnutls/config + include if exists -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
There is precedence in /etc/apparmor.d/abstractions/base holding various rules like these $ grep etc_ro /etc/apparmor.d/abstractions/base @{etc_ro}/locale/** r, @{etc_ro}/locale.alias r, @{etc_ro}/localtime r, @{etc_ro}/bindresvport.blacklistr, @{etc_ro}/ld.so.cache mr, @{etc_ro}/ld.so.confr, @{etc_ro}/ld.so.conf.d/{,*.conf}r, @{etc_ro}/ld.so.preload r, @{etc_ro}/ld-musl-*.pathr, I'd think the better fix is to allow it there. Actually, base isn't the best. I think it should go into /etc/apparmor.d/abstractions/crypto (which is included by base) If Adrien knows about similar, "whoever uses it should have read access to that config to restrict it accordingly" config files we might want to add them all in one block there. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
** Description changed: + Christian summarizes this after the great reports by Martin: + + gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3 + and added more later. + + Due to that anything linked against gnutls while being apparmor isolated + now hits similar denials, preventing the desired effect of the config + change BTW. + + I think for safety we WANT to always allow this access, otherwise people + will subtly not have crypto control about the more important (those + isolated) software. Because after the denial I'd expect this to not + really disable it in the program linked to gnutls (details might vary + depending what they really use gnutls for). + + I do not nkow of a gnutls abstraction to use, but TBH I'm afraid now + fixing a few but leaving this open in some others not spotted. + + I'd therefore suggest, but we need to discuss, to therefore change it in + /etc/apparmor.d/abstractions/base. + + Therefore I'm adding gnutls (and Adrien) as well as apparmor to the bug + tasks. + --- --- Merely booting current noble cloud image with "chrony" installed causes this: audit: type=1400 audit(1710152842.540:107): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/chronyd" name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - --- + --- --- Running any VM in libvirt causes a new AppArmor violation in current noble. This is a regression, this didn't happen in any previous release. Reproducer: virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1 (This is the simplest way to create a test VM. But it's form or shape doesn't matter at all). Results in lots of audit: type=1400 audit(1710146677.570:108): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config" pid=1480 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 libvirt-daemon 10.0.0-2ubuntu1 apparmor 4.0.0~alpha4-0ubuntu1 libgnutls30:amd64 3.8.3-1ubuntu1 ** Also affects: gnutls28 (Ubuntu) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Description changed: Christian summarizes this after the great reports by Martin: gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3 and added more later. Due to that anything linked against gnutls while being apparmor isolated now hits similar denials, preventing the desired effect of the config change BTW. I think for safety we WANT to always allow this access, otherwise people will subtly not have crypto control about the more important (those isolated) software. Because after the denial I'd expect this to not really disable it in the program linked to gnutls (details might vary depending what they really use gnutls for). I do not nkow of a gnutls abstraction to use, but TBH I'm afraid now fixing a few but leaving this open in some others not spotted. I'd therefore suggest, but we need to discuss, to therefore change it in /etc/apparmor.d/abstractions/base. Therefore I'm adding gnutls (and Adrien) as well as apparmor to the bug tasks. - --- - --- - Merely booting current noble cloud image with "chrony" installed causes - this: + --- --- --- --- --- --- --- --- --- --- --- --- + --- --- --- --- --- --- --- --- --- --- --- --- + + + Merely booting current noble cloud image with "chrony" installed causes this: audit: type=1400 audit(1710152842.540:107): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/chronyd" name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - --- - --- - Running any VM in libvirt causes a new AppArmor violation in current - noble. This is a regression, this didn't happen in any previous release. + --- --- --- --- --- --- --- --- --- --- --- --- + --- --- --- --- --- --- --- --- --- --- --- --- + + + Running any VM in libvirt causes a new AppArmor violation in current noble. This is a regression, this didn't happen in any previous release. Reproducer: virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1 (This is the simplest way to create a test VM. But it's form or shape doesn't matter at all). Results in lots of audit: type=1400 audit(1710146677.570:108): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config" pid=1480 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 libvirt-daemon 10.0.0-2ubuntu1 apparmor 4.0.0~alpha4-0ubuntu1 libgnutls30:amd64 3.8.3-1ubuntu1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739
[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
Hi Martin, as always thanks for your post FF testing and reports. Thank you for also filing bug 2056747 - it starts to show that this is a generic thing which probably anything linked against gnutls and being confined will hit. reverse-depends --release=noble --build-depends libgnutls28-dev | wc -l 182 Unless later decided otherwise I'd think we should not look for many many individual rules but adding it to an abstraction or so, so for now I'd mark these as dups to each other and file it against gnutls as well. ** Also affects: chrony (Ubuntu) Importance: Undecided Status: New ** Description changed: + --- + --- + + Merely booting current noble cloud image with "chrony" installed causes + this: + + audit: type=1400 audit(1710152842.540:107): apparmor="DENIED" + operation="open" class="file" profile="/usr/sbin/chronyd" + name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r" + denied_mask="r" fsuid=0 ouid=0 + + --- + --- + Running any VM in libvirt causes a new AppArmor violation in current noble. This is a regression, this didn't happen in any previous release. Reproducer: - virt-install --memory 50 --pxe --virt-type qemu --os-variant + virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1 (This is the simplest way to create a test VM. But it's form or shape doesn't matter at all). Results in lots of audit: type=1400 audit(1710146677.570:108): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config" pid=1480 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - libvirt-daemon 10.0.0-2ubuntu1 apparmor 4.0.0~alpha4-0ubuntu1 libgnutls30:amd64 3.8.3-1ubuntu1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs