Public bug reported:
Hi,
while debugging bug 1764373 I found this (distracting me at first).
But I realized those are two different issues.
So I'm filing the apparmor issue here.
Testcase:
0. get two LXD containers with Bionic
1. create KVM guest with uvtool
When the guest is spawning it tries to open /dev/pts/0 (and similar) for its
console.
Here an strace:
0.000034 stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(136,
0), ...}) = 0 <0.000017>
0.000052 openat(AT_FDCWD, "/dev/pts/0", O_RDWR|O_NOCTTY) = 11 <0.000019>
0.000330 ioctl(11, TCGETS, {B38400 opost isig icanon echo ...}) = 0
<0.000105>
0.000139 ioctl(11, TCGETS, {B38400 opost isig icanon echo ...}) = 0
<0.000010>
0.000034 ioctl(11, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 -opost -isig
-icanon -echo ...}) = 0 <0.000013>
0.000037 ioctl(11, TCGETS, {B38400 -opost -isig -icanon -echo ...}) = 0
<0.000010>
0.000034 ioctl(10, TCGETS, {B38400 -opost -isig -icanon -echo ...}) = 0
<0.000011>
0.000033 ioctl(10, TIOCGPTN, [0]) = 0 <0.000010>
0.000033 stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(136,
0), ...}) = 0 <0.000016>
0.000045 close(11) = 0 <0.000013>
The only Permission denied thou (at all) is on /dev/pts/0 with this call:
0.000055 ioctl(10, TIOCGPTPEER, 0x102) = -1 EACCES (Permission denied)
<0.000025>
But this is blocked by Apparmor according to dmesg:
audit: type=1400 audit(1523957176.480:37835): apparmor="DENIED"
namespace="root//lxd-testkvm-bionic-tononshared_<var-lib-lxd>"
pid=8721 comm="qemu-system-x86"
fsuid=64055 ouid=64055
profile="libvirt-1c67131a-7177-4f49-9840-f1092310890d"
denied_mask="wr"
operation="open"
name="/0"
requested_mask="wr"
Now I wonder about two things:
1. it should be allowed as the profile has
#include <abstractions/consoles>
And that has:
/dev/pts/[0-9]* rw,
2. I think it misses parts of the path as it is a mount point
devpts on /dev/pts type devpts
(rw,nosuid,noexec,relatime,mode=620,ptmxmode=666,max=1024)
I think apparmor should process this as /dev/pts/0 still and then allow
it.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1764715
Title:
/dev/pts/0 access detected as /0
Status in apparmor package in Ubuntu:
New
Bug description:
Hi,
while debugging bug 1764373 I found this (distracting me at first).
But I realized those are two different issues.
So I'm filing the apparmor issue here.
Testcase:
0. get two LXD containers with Bionic
1. create KVM guest with uvtool
When the guest is spawning it tries to open /dev/pts/0 (and similar) for its
console.
Here an strace:
0.000034 stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(136,
0), ...}) = 0 <0.000017>
0.000052 openat(AT_FDCWD, "/dev/pts/0", O_RDWR|O_NOCTTY) = 11 <0.000019>
0.000330 ioctl(11, TCGETS, {B38400 opost isig icanon echo ...}) = 0
<0.000105>
0.000139 ioctl(11, TCGETS, {B38400 opost isig icanon echo ...}) = 0
<0.000010>
0.000034 ioctl(11, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 -opost -isig
-icanon -echo ...}) = 0 <0.000013>
0.000037 ioctl(11, TCGETS, {B38400 -opost -isig -icanon -echo ...}) = 0
<0.000010>
0.000034 ioctl(10, TCGETS, {B38400 -opost -isig -icanon -echo ...}) = 0
<0.000011>
0.000033 ioctl(10, TIOCGPTN, [0]) = 0 <0.000010>
0.000033 stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(136,
0), ...}) = 0 <0.000016>
0.000045 close(11) = 0 <0.000013>
The only Permission denied thou (at all) is on /dev/pts/0 with this call:
0.000055 ioctl(10, TIOCGPTPEER, 0x102) = -1 EACCES (Permission denied)
<0.000025>
But this is blocked by Apparmor according to dmesg:
audit: type=1400 audit(1523957176.480:37835): apparmor="DENIED"
namespace="root//lxd-testkvm-bionic-tononshared_<var-lib-lxd>"
pid=8721 comm="qemu-system-x86"
fsuid=64055 ouid=64055
profile="libvirt-1c67131a-7177-4f49-9840-f1092310890d"
denied_mask="wr"
operation="open"
name="/0"
requested_mask="wr"
Now I wonder about two things:
1. it should be allowed as the profile has
#include <abstractions/consoles>
And that has:
/dev/pts/[0-9]* rw,
2. I think it misses parts of the path as it is a mount point
devpts on /dev/pts type devpts
(rw,nosuid,noexec,relatime,mode=620,ptmxmode=666,max=1024)
I think apparmor should process this as /dev/pts/0 still and then
allow it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1764715/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
