Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

python-parser requires updated apparmor profile otherwise got SIGSEGV #2625

Closed
abalage opened this issue Mar 13, 2019 · 8 comments

Comments

@abalage
Copy link

commented Mar 13, 2019

syslog-ng

Version of syslog-ng

syslog-ng 3 (3.19.1)
Config version: 3.19
Installer-Version: 3.19.1
Revision: 
Module-Directory: /usr/lib64/syslog-ng
Module-Path: /usr/lib64/syslog-ng
Include-Path: /usr/share/syslog-ng/include
Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,basicfuncs,cef,confgen,cryptofuncs,csvparser,date,dbparser,disk-buffer,examples,graphite,hook-commands,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pseudofile,sdjournal,snmptrapd-parser,stardate,syslogformat,system-source,tags-parser,tfgetent,xml,geoip-plugin,geoip2-plugin,http,mod-python
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on

Platform

OpenSUSE Leap 15.0 (and possibly other apparmor based distros like Ubuntu)

Issue

Failure

Checking configuration syntax (syslog-ng -s) ends up in SIGSEGV

Steps to reproduce

  1. start syslog-ng with a defined python-parser

  2. experience SIGSEGV of syslog-ng

See gdb backtrace. https://pastebin.com/Gpby35Nb

  1. look for entries of syslog-ng in /var/log/audit/*
type=AVC msg=audit(1551275070.768:693): apparmor="DENIED" operation="file_mmap" profile="syslog-ng" name="/usr/lib64/python3.6/lib-dynload/_heapq.cpython-36m-x86_64-linux-gnu.so" pid=18892 comm="syslog-ng" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Configuration

https://pastebin.com/6tDb0Ar5

Resolution

Add the following element to the syslog-ng apparmor profile.

#include <abstractions/python>

Activate the changes.

apparmor_parser -r /etc/apparmor.d/sbin.syslog-ng
systemctl restart syslog-ng
@Kokan

This comment has been minimized.

Copy link
Contributor

commented Mar 13, 2019

Thanks for reporting, and for the suggestion.
@czanik Does this apparmor profile is the same as under contribute folder?

@czanik

This comment has been minimized.

Copy link
Contributor

commented Mar 13, 2019

No. The one in openSUSE is from AppArmor upstream:

linux-xwet:/etc/apparmor.d # cat /etc/apparmor.d/sbin.syslog-ng 
# ------------------------------------------------------------------
#
#    Copyright (C) 2006-2009 Novell/SUSE
#    Copyright (C) 2006 Christian Boltz
#    Copyright (C) 2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

#define this to be where syslog-ng is chrooted
@{CHROOT_BASE}=""

profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/mysql>
  #include <abstractions/openssl>

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fsetid,
  capability fowner,
  capability sys_tty_config,
  capability sys_resource,
  capability syslog,

  unix (receive) type=dgram,
  unix (receive) type=stream,

  /dev/log w,
  /dev/syslog w,
  /dev/tty10 rw,
  /dev/xconsole rw,
  /dev/kmsg r,
  /etc/machine-id r,
  /etc/syslog-ng/* r,
  /etc/syslog-ng/conf.d/ r,
  /etc/syslog-ng/conf.d/* r,
  @{PROC}/kmsg r,
  /etc/hosts.deny r,
  /etc/hosts.allow r,
  /{usr/,}{bin,sbin}/syslog-ng mr,
  @{sys}/devices/system/cpu/online r,
  /usr/share/syslog-ng/** r,
  /var/lib/syslog-ng/syslog-ng-?????.qf rw,
  # chrooted applications
  @{CHROOT_BASE}/var/lib/*/dev/log w,
  @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
  @{CHROOT_BASE}/var/log/** w,
  @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
  @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
  /{var,var/run,run}/log/journal/ r,
  /{var,var/run,run}/log/journal/*/ r,
  /{var,var/run,run}/log/journal/*/*.journal r,
  /{var/,}run/syslog-ng.ctl a,
  /{var/,}run/syslog-ng/additional-log-sockets.conf r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/sbin.syslog-ng>
}
@Kokan

This comment has been minimized.

Copy link
Contributor

commented Mar 13, 2019

@czanik does this part of the opensuse repo ?

@abalage

This comment has been minimized.

Copy link
Author

commented Mar 14, 2019

OpenSUSE requires the contribution to be sent to their bugzilla as well to Apparmor's mailing list: https://en.opensuse.org/SDB:AppArmor

However Debian suggest directly contributing to Apparmor's Git repo, although I could not find any syslog-ng profile there: https://wiki.debian.org/AppArmor/Contribute/Upstream

The logic is the same, commit to upstream, then they will pick the changes from there. https://git.launchpad.net/apparmor/tree/profiles/apparmor.d/sbin.syslog-ng

@Kokan

This comment has been minimized.

Copy link
Contributor

commented Mar 28, 2019

@czanik @abalage would any of you update apparnor for opensuse/debian ?

@cboltz

This comment has been minimized.

Copy link

commented Apr 5, 2019

Upstream AppArmor moved from launchpad to gitlab.com, so the best way is to send a merge request to https://gitlab.com/apparmor/apparmor/

Bugreports at various places (bugzilla.opensuse.org, bugs.debian.org, launchpad and gitlab.com) will also work, but if you already know what needs to be changed, a merge request is less paperwork ;-)

In this specific case, I made it easy for you and just opened
https://gitlab.com/apparmor/apparmor/merge_requests/361 ;-)

@abalage

This comment has been minimized.

Copy link
Author

commented Apr 5, 2019

That's very kind of you.
Thank you @cboltz

@MrAnno

This comment has been minimized.

Copy link
Member

commented Jun 26, 2019

The upstream merge request has been merged: https://gitlab.com/apparmor/apparmor/merge_requests/361

@cboltz Thanks for submitting the fix.

@MrAnno MrAnno closed this Jun 26, 2019
kensington pushed a commit to kensington/apparmor that referenced this issue Aug 4, 2019
When running syslog-ng with a defined python-parser, it needs access to
python libraries.

For details about python-parser, see
https://www.syslog-ng.com/community/b/blog/posts/format-your-log-messages-in-python

References: syslog-ng/syslog-ng#2625
kensington pushed a commit to kensington/apparmor that referenced this issue Aug 4, 2019
syslog-ng: add abstractions/python for python-parser

When running syslog-ng with a defined python-parser, it needs access to python libraries.

For details about python-parser, see https://www.syslog-ng.com/community/b/blog/posts/format-your-log-messages-in-python

References: syslog-ng/syslog-ng#2625

PR: https://gitlab.com/apparmor/apparmor/merge_requests/361
Signed-off-by: John Johansen <john.johansen@canonical.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.