>From the commits mentioned that solve the issue, 338d0be437ef was not
available on 4.15 kernels. The cherry-pick was submitted to the kernel
team for approval.
** Description changed:
- Per 'man namespaces':
+ SRU Justification:
- "Permission to dereference or read (readlink(2)) these symbolic links is
- governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
+ [Impact]
+ Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
+ only 'ptrace read' should be required according to 'man namespaces':
+
+ "Permission to dereference or read (readlink(2)) these symbolic links
+ is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
- This suggests that a 'ptrace read' rule should be sufficient to
- readlink() /proc/*/ns/*, which is the case with 5.4.0-42.46-generic
- (Ubuntu 20.04 LTS).
+ [Fix]
- However, on Ubuntu 18.04 LTS and 16.04 LTS, 'ptrace trace' is needed.
- Here is a reproducer:
+ Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace
+ read check.
- $ cat ./readlink-ns.c
- #include <errno.h>
- #include <linux/limits.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <sys/types.h>
- #include <unistd.h>
+ [Test Plan]
- void usage() {
- fprintf(stderr, "Usage: readlink-ns -p <pid> -n <ns>\n");
- }
+ BugLink contains the source of a binary that reproduces the issue. In
+ summary, it executes readlink() on /proc/*/ns/*. There's also a policy
+ that has only 'ptrace read' permission. When the bug is fixed,
+ execution is allowed.
- int main(int argc, char *argv[])
- {
- pid_t pid = 0;
- char *ns = NULL;
- char path[PATH_MAX] = {};
- char rpath[PATH_MAX] = {};
- int c;
+ [Where problems could occur]
- while ((c = getopt(argc, argv, "hn:p:")) != -1) {
- switch(c) {
- case 'n':
- ns = optarg;
- break;
- case 'p':
- pid = atoi(optarg);
- break;
- case 'h':
- usage();
- return 0;
- case '?':
- usage();
- return 1;
- default:
- return 1;
- }
- }
-
- int n = snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns);
- if (n < 0 || (size_t)n >= sizeof(path)) {
- fprintf(stderr, "cannot format string\n");
- return 1;
- }
- path[n] = '\0';
- printf("path: %s\n", path);
-
- n = readlink(path, rpath, sizeof(rpath));
- if (n < 0) {
- perror("readlink()");
- return 1;
- } else if (n == sizeof(rpath)) {
- fprintf(stderr, "cannot readlink()\n");
- return 1;
- }
- printf("rpath: %s\n", rpath);
-
- return 0;
- }
-
- $ cat ./readlink-ns.apparmor
- #include <tunables/global>
-
- profile test {
- #include <abstractions/base>
-
- # focal
- ptrace (read) peer="unconfined",
-
- # xenial, bionic
- #ptrace (trace) peer="unconfined",
- }
-
-
- # bionic and xenial need 'ptrace trace'
- $ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
- path: /proc/1/ns/pid
- readlink(): Permission denied
-
- Denial:
- Aug 07 14:40:59 sec-bionic-amd64 kernel: audit: type=1400
audit(1596829259.675:872): apparmor="DENIED" operation="ptrace" profile="test"
pid=1311 comm="a.out" requested_mask="trace" denied_mask="trace"
peer="unconfined"
-
-
- # focal needs only 'ptrace read'
- $ gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor &&
sudo aa-exec -p test -- ./a.out -p 1 -n pid
- path: /proc/1/ns/pid
- rpath: pid:[4026531836]
+ The regression can be considered as low, since it's lowering the number
+ of permissions required. Existing policies that already contain the
+ permission 'ptrace trace' and 'ptrace read' will have a broader policy
+ than required.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files on older
kernels
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Triaged
Status in linux source package in Bionic:
Triaged
Bug description:
SRU Justification:
[Impact]
Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
only 'ptrace read' should be required according to 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links
is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
[Fix]
Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace
read check.
[Test Plan]
BugLink contains the source of a binary that reproduces the issue. In
summary, it executes readlink() on /proc/*/ns/*. There's also a policy
that has only 'ptrace read' permission. When the bug is fixed,
execution is allowed.
[Where problems could occur]
The regression can be considered as low, since it's lowering the number
of permissions required. Existing policies that already contain the
permission 'ptrace trace' and 'ptrace read' will have a broader policy
than required.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
