On 5/31/19 2:59 PM, Ian wrote:
> On Fri, 31 May 2019, Jamie wrote:
>> On Fri, 31 May 2019, Ian wrote:
>>
>>>/The only thing outstanding is some trouble I run into after the initramfs
>>>/>>/chroot transition but before the apparmor service starts: />>//>>/May 31
>>>12:10:55 1546-w-dev audit[5162]: AVC apparmor="ALLOWED" />>/operation="exec"
>>>info="profile transition not found" error=-13 />>/profile="init-sys
>>>/>>/temd" name="/usr/bin/unshare" pid=5162 comm="(spawn)"
>>>/>>/requested_mask="x" denied_mask="x" fsuid=0 ouid=0
>>>/>>/target="/usr/bin/unshare" />>/May 31 12:10:54 1546-w-dev audit[5004]:
>>>AVC apparmor="ALLOWED" />>/operation="exec" info="profile transition not
>>>found" error=-13 />>/profile="init-sys />>/temd" name="/usr/bin/unshare"
>>>pid=5004 comm="(spawn)" />>/requested_mask="x" denied_mask="x" fsuid=0
>>>ouid=0 />>/target="/usr/bin/unshare" />
>>Notice it is /usr/bin/unshare here, but you mention below that
>>'/usr/sbin/unshare' exists, but what you pasted looks correct. Is this a typo
>>in the email or somewhere else?
>>
>>>/The /usr/sbin/unshare profile exists: />>//>>/root at 1546-w-dev
>>><https://lists.ubuntu.com/mailman/listinfo/apparmor>:/etc/apparmor.d# cat
>>>usr.bin.unshare />>/profile usr.bin.unshare /usr/bin/unshare
>>>/>>/flags=(complain,attach_disconnected) { />>/ #include
>>><local/whitelist> />>/} /
>
> Jamie,
>
> That was a typo in the email. There is no /usr/sbin/unshare executable or
> profile.
>
> After everything loads, if I restart the "lvm2-pvscan@8:1" service that I
> think is responsible for those errors during boot (systemctl shows it as
> failed), it all works correctly.
>
> ---
>
>
> On a different topic, when I attempted to run 'apt update', this happens:
>
> type=AVC msg=audit(1559334318.936:8850): apparmor="ALLOWED"
> operation="exec" info="no new privs" error=-1
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11011
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0
> target="usr.bin.apt_key"
> type=AVC msg=audit(1559334319.212:8851): apparmor="ALLOWED"
> operation="exec" info="no new privs" error=-1
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11013
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0
> target="usr.bin.apt_key"
> type=AVC msg=audit(1559334319.228:8852): apparmor="ALLOWED"
> operation="exec" info="no new privs" error=-1
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11015
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0
> target="usr.bin.apt_key"
> type=AVC msg=audit(1559334319.332:8853): apparmor="ALLOWED"
> operation="exec" info="no new privs" error=-1
> profile="usr.lib.apt.methods.gpgv" name="/usr/bin/apt-key" pid=11017
> comm="gpgv" requested_mask="x" denied_mask="x" fsuid=104 ouid=0
> target="usr.bin.apt_key"
>
>
> W: An error occurred during the signature verification. The repository is
> not updated and the previous index files will be used. GPG error:
> http://us.archive.ubuntu.com/ubuntu bionic InRelease: Couldn't execute
> /usr/bin/apt-key to check
> /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_bionic_InRelease
> W: An error occurred during the signature verification. The repository is
> not updated and the previous index files will be used. GPG error:
> http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease: Couldn't
> execute /usr/bin/apt-key to check
> /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-updates_InRelease
> W: An error occurred during the signature verification. The repository is
> not updated and the previous index files will be used. GPG error:
> http://security.ubuntu.com/ubuntu bionic-security InRelease: Couldn't execute
> /usr/bin/apt-key to check
> /var/lib/apt/lists/partial/security.ubuntu.com_ubuntu_dists_bionic-security_InRelease
> W: An error occurred during the signature verification. The repository is
> not updated and the previous index files will be used. GPG error:
> http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease: Couldn't
> execute /usr/bin/apt-key to check
> /var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_bionic-backports_InRelease
>
>
> It's not clear to me why it thinks I would be requesting new privs when all
> of the profiles I've created have the exact same priv requests. It's also
> odd that apparmor is stating "ALLOWED" but then still blocking the execution?
>
Because when no-new-privs landed it was mandated that the LSMs not over ride
it. No new-privs is not part of apparmor but the broader kernel, and was
provided as a way to for a task to lockdown privileges to the current set.
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
It was added with seccomp (3.5) so that the task could do setup and then lock
its sandbox/security env down. At the time the LSMs were told it should apply
to them as well. With seccomp use expanding and systemd now setting it this has
unfortunately caused several problems for LSMs and selinux successfully added a
setprivs ability that allows them to selectively override. AppArmor does
currently allow transitions under no-new-privs but only when the transition is
provable a subset of the tasks confinement (3.5 - 4.12 unconfined is allowed to
transition to a profile, 4.13 - 4.16 is limited to strict subset of current
confinement, basically you can extend a profile stack, 4.17 - 5.2 to a subset
of confinement at the time nnp is set). We do have plans to add our own ability
to have a permission to override no-new-privs but that has not landed upstream
yet.
> Running pstree at the same time as apt shows the following order: systemd,
> sshd, sshd, sshd, bash, sudo, bash, apt, gpgv (and http, http), gpgv
>
> root@1546-w-dev:/etc/apparmor.d# cat usr.lib.apt.methods.gpgv
> profile usr.lib.apt.methods.gpgv /usr/lib/apt/methods/gpgv
> flags=(complain) {
> #include <local/whitelist>
> }
>
>
> root@1546-w-dev:/etc/apparmor.d# cat usr.bin.apt_key
> profile usr.bin.apt_key /usr/bin/apt-key flags=(complain) {
> #include <local/whitelist>
> }
>
>
> Have I ran into this?
> https://lists.ubuntu.com/archives/apparmor/2018-November/011846.html
>
unfortunately, yes. I can point you at a test kernel for the nnp override but,
I will need
to get up a userspace that can work with it. I'll see what I can do this
weekend.
> root@1546-w-dev:/etc/apparmor.d# uname -r
> 4.15.0-50-generic
>
> I see this problem with 'man' too.
>
> I'm sooo close to getting this working...
>
>
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
