That's an excellent question. In general we can't solve all cases but
perhaps we can find a middle-ground.

In the past, the 'r' flag on the executable determined if the process
was dumpable. I expect that to still hold, but there may be other
reasons why 'r' is required these days.

I don't know how widespread it would be for someone to put 'm' on a
binary but not 'r' so that it couldn't be dumpable. That feels unlikely.
Maybe we could automatically give 'mr' permissions to the files listed
in the attachment specification?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1667751

Title:
  Confined binaries running in namespaces unable to read their
  executable

Status in apparmor package in Ubuntu:
  New

Bug description:
  It seems that binaries confined by Apparmor attempt to read their own
  executable when running in a namespace/container. This breaks many
  profiles that are working perfectly well outside of namespaces.


  
  Original description:

  I'm not sure if it's a bug that belongs to Apparmor, rsyslog or even
  the kernel so please re-assign if needed.

  Enabling rsyslog's Apparmor profile in a namespace generates this
  denial:

  [ 3026.956651] audit: type=1400 audit(1487955263.521:39):
  apparmor="DENIED" operation="file_mprotect" namespace="root//lxd-
  ganymede_<var-lib-lxd>" profile="/usr/sbin/rsyslogd"
  name="/usr/sbin/rsyslogd" pid=4165 comm="rsyslogd" requested_mask="r"
  denied_mask="r" fsuid=165536 ouid=165536

  This prevents rsyslog from starting in the said container:

  root@ganymede:~# systemctl status rsyslog
  ● rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor 
preset: enabled)
     Active: inactive (dead) (Result: exit-code) since Fri 2017-02-24 11:54:24 
EST; 30min ago
       Docs: man:rsyslogd(8)
             http://www.rsyslog.com/doc/
    Process: 232 ExecStart=/usr/sbin/rsyslogd -n (code=exited, status=127)
   Main PID: 232 (code=exited, status=127)

  Feb 24 11:54:24 ganymede systemd[1]: Failed to start System Logging Service.
  Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Unit entered failed 
state.
  Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Failed with result 
'exit-code'.
  Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Service hold-off time 
over, scheduling restart.
  Feb 24 11:54:24 ganymede systemd[1]: Stopped System Logging Service.
  Feb 24 11:54:24 ganymede systemd[1]: rsyslog.service: Start request repeated 
too quickly.
  Feb 24 11:54:24 ganymede systemd[1]: Failed to start System Logging Service.

  I don't know why rsyslog wants to read its own binary but it seems to
  really want to.

  Both the host and the guest are up to date Xenials. Please not that
  the host runs the kernel from -proposed.

  root@jupiter:~# apt-cache policy linux-image-4.4.0-65-generic apparmor rsyslog
  linux-image-4.4.0-65-generic:
    Installed: 4.4.0-65.86
    Candidate: 4.4.0-65.86
    Version table:
   *** 4.4.0-65.86 100
          100 /var/lib/dpkg/status
  apparmor:
    Installed: 2.10.95-0ubuntu2.5
    Candidate: 2.10.95-0ubuntu2.5
    Version table:
   *** 2.10.95-0ubuntu2.5 500
          500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
          100 /var/lib/dpkg/status
       2.10.95-0ubuntu2 500
          500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  rsyslog:
    Installed: 8.16.0-1ubuntu3
    Candidate: 8.16.0-1ubuntu3
    Version table:
   *** 8.16.0-1ubuntu3 500
          500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: apparmor 2.10.95-0ubuntu2.5
  ProcVersionSignature: Ubuntu 4.4.0-65.86-generic 4.4.49
  Uname: Linux 4.4.0-65-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20.1-0ubuntu2.5
  Architecture: amd64
  Date: Fri Feb 24 12:17:34 2017
  InstallationDate: Installed on 2016-12-19 (66 days ago)
  InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 
(20161219)
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-65-generic.efi.signed 
root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 
nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never
  PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree'
  SourcePackage: apparmor
  Syslog: Feb 24 11:04:10 jupiter dbus[1812]: [system] AppArmor D-Bus mediation 
is enabled
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1667751/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to