[Bug 1913470] Re: sssd also needs `attach_disconnected` in its apparmor profile
I'm wondering now if *perhaps* kernel or kexec is involved. I don't reboot directly to the overlay kernel, I use: `kexec --initrd=/boot/initrd.img-$(uname -r) --command-line="$(cat /proc/cmdline`) overlayroot=tmpfs" /boot/vmlinuz-$(uname -r) -l` And we are on a custom 5.4 kernel (it's the nature of our HVs that we don't run the Ubuntu kernel). Can you try with kexec instead of overlayroot.conf config? And can you tell me what kernel is in your VM? The last part is this is baremetal, but I don't think that should matter. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913470 Title: sssd also needs `attach_disconnected` in its apparmor profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1913470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913470] Re: sssd also needs `attach_disconnected` in its apparmor profile
Something to think about: how common is this use case (of overlayfs), and if there are other scenarios where the lack of `attach_disconnected` is troublesome? We should consider if enabling this option introduces unnecessary security risks for the supposedly wider audience who is NOT using overlayfs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913470 Title: sssd also needs `attach_disconnected` in its apparmor profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1913470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913470] Re: sssd also needs `attach_disconnected` in its apparmor profile
Thanks for the bug report. Initially I wasn't able to reproduce it with a pristine installation of Ubuntu Bionic + sssd, then aa-enforcing sssd, and then enabling overlayroot=tmpfs. sssd was able to start successfully. Then, we had a chat on IRC where Andreas let me know that sssd's autopkgtest does have scripts that setup a simple LDAP + sssd auth scheme, so I used that to perform the tests. I download sssd's source, manually ran the debian/tests/ldap-user-group-ldap-auth, which create a "testuser1" in the LDAP database. I also tested that this user is able to login and ssh into the VM. Then, aa-enforced sssd and enabled overlayroot=tmpfs: # mount sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) udev on /dev type devtmpfs (rw,nosuid,relatime,size=491068k,nr_inodes=122767,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=100488k,mode=755) /dev/sda2 on /media/root-ro type ext4 (ro,relatime,data=ordered) tmpfs-root on /media/root-rw type tmpfs (rw,relatime) overlayroot on / type overlay (rw,relatime,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_) securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) ... To no avail: I'm still able to start sssd and perform logins/ssh into the machine. I'll continue investigating tomorrow, but it's important to obtain a reproducer for this one because we will need to SRU it into Bionic. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913470 Title: sssd also needs `attach_disconnected` in its apparmor profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1913470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913470] Re: sssd also needs `attach_disconnected` in its apparmor profile
1) # aa-enforce usr.sbin.sssd (default) journal contains: Jan 27 17:46:27 s2r5node66 sssd[3382]: ldb: unable to open modules directory '/usr/lib/x86_64-linux-gnu/ldb/modules/ldb' Jan 27 17:46:25 s2r5node66 systemd[1]: Starting System Security Services Daemon... Jan 27 17:46:25 s2r5node66 systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION Jan 27 17:46:25 s2r5node66 systemd[1]: sssd.service: Failed with result 'exit-code'. Jan 27 17:46:25 s2r5node66 systemd[1]: Failed to start System Security Services Daemon. 2) # aa-complain usr.sbin.sssd; systemctl restart sssd Jan 27 17:50:07 s2r5node66 audit[10294]: AVC apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/sssd" name="usr/lib/x86_64-linux-gnu/ldb/modules/ldb" pid=10294 comm="sssd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 3) modify /etc/apparmor/usr.sbin.sssd /usr/sbin/sssd flags=(complain,attach_disconnected) { # aa-enforce usr.sbin.sssd /usr/sbin/sssd flags=(attach_disconnected) { # systemctl restart sssd ● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2021-01-27 17:53:06 UTC; 7s ago and ssh works again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913470 Title: sssd also needs `attach_disconnected` in its apparmor profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1913470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs