New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apparmor: allow readby and tracedby #39121
Conversation
Fixes audit errors such as: type=AVC msg=audit(1550236803.810:143): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3181 comm="ps" requested_mask="readby" denied_mask="readby" peer="docker-default" audit(1550236375.918:3): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=2267 comm="ps" requested_mask="tracedby" denied_mask="tracedby" peer="docker-default" Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
ping @justincormack @cyphar PTAL |
Seems reasonable. |
@@ -44,7 +44,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { | |||
|
|||
{{if ge .Version 208095}} | |||
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container | |||
ptrace (trace,read) peer={{.Name}}, | |||
ptrace (trace,read,tracedby,readby) peer={{.Name}}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think maybe the comment should be changed on the line above - these are I think now needed as we allow ptrace
which we did not for seccomp reasons before kernel 4.8, and I don't think you would get these just from ps
.
Had a coworker running into the same problem when running
Ubuntu 18.04 with a 4.18.0-17-generic kernel and the following Docker version:
Patching the default profile with this The Documentation for the tracedby and readby settings can be found in the apparmor.d manual: |
ping @goldwynr could you have a look at the review comment? @justincormack any other issues with this patch, other than the comment? |
@justincormack Without this patch the "denied "readby" messages are shown for docker ps, though the command succeeds. So, the comment still holds good. |
ping! could the maintainers review the changes? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Fixes audit errors such as:
type=AVC msg=audit(1550236803.810:143):
apparmor="DENIED" operation="ptrace" profile="docker-default"
pid=3181 comm="ps" requested_mask="readby" denied_mask="readby"
peer="docker-default"
audit(1550236375.918:3): apparmor="DENIED" operation="ptrace"
profile="docker-default" pid=2267 comm="ps"
requested_mask="tracedby" denied_mask="tracedby"
peer="docker-default"
Signed-off-by: Goldwyn Rodrigues rgoldwyn@suse.com
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)