This is CVE-2014-1424 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-1424
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1390592 Title: 'ptrace peer=@{profile_name}' does not work on 14.04 (at least) with docker Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor” source package in Trusty: In Progress Bug description: I was helping a docker user out in #apparmor on OFTC and I think we found a kernel bug in the 14.04 kernel (14.10 kernel seems fine, see below). Workaround: install the https://launchpad.net/ubuntu/+source/linux- lts-utopic kernel. $ cat /proc/version_signature Ubuntu 3.13.0-37.64-generic 3.13.11.7 Steps to reproduce: 1. adjust /etc/apparmor.d/abstractions/base to have: ptrace peer=@{profile_name}, 2. sudo apt-get install docker.io 3. sudo docker pull ubuntu:trusty 4. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ Then observe the following denials on the host, which should have been addressed in the rule added in step 1: Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.018580] type=1400 audit(1415389422.303:68): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="trace" denied_mask="trace" peer="docker-default" Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020832] type=1400 audit(1415389422.307:69): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default" Nov 7 13:43:42 sec-trusty-amd64 kernel: [24258.020893] type=1400 audit(1415389422.307:70): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=27542 comm="ps" requested_mask="read" denied_mask="read" peer="docker-default" Using 'ptrace peer=docker-default,' also did not work. Ubuntu 14.10 works as expected (note, the policy is different on 14.10 and it already has the rule from step 1). Ubuntu 14.04 with the linux-lts- utopic backport kernel also works (from trusty-proposed: sudo apt-get install linux-headers-3.16.0-25-generic linux-image-3.16.0-25-generic linux-image-extra-3.16.0-25-generic). Note, docker is different than most applications in that it embeds its policy inside the docker binary and this binary when launched as a daemon (ie, via the upstart job) will unconditionally write out the policy to /etc/apparmor.d/docker-default. As such, to modify the policy: 0. install docker.io and pull a trusty image # only has to be done once 1. update /etc/apparmor.d/abstractions/base to have the new ptrace rules 2. sudo stop docker.io # 'docker' on 14.10 3. sudo apparmor_parser -R /etc/apparmor.d/docker 4. sudo rm -f /etc/apparmor.d/docker /etc/apparmor.d/cache/docker 5. sudo start docker.io # 'docker' on 14.10 6. Run 'ps' inside docker: $ sudo docker run -i -t ubuntu:trusty bash root@5039d725a41d:/# ps ... root@5039d725a41d:/# exit $ (Docker just added a way to specify an alternate existing profile in https://docs.docker.com/reference/run/#security-configuration). Reference: https://github.com/docker/docker/issues/7276 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1390592/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
