[Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"

Adrien Nader 2056739 at bugs.launchpad.net
Mon Mar 11 11:49:00 UTC 2024 

Hey,

I think everything in the gnutls/ directory should be allowed: there can
be profiles with arbitrary names (or at least alnum I guess) which
define priority/configuration strings that can be used by gnutls
applications. I'm not aware of anything else that typically goes there
but I haven't checked. I'll have another look today.

More generally, there can be the same issue for openssl which has its
own abstraction file but isn't included by default AFAIU.

A similar issue could apply to ssl_certs since some apps/libraries ship
their own cert bundle and could function despite not having access to
the system store (I'm looking at you python). I don't know what would be
a typical behavior here but I'm pretty sure that the whole range of
possible behavior exists in the wild.

I'm wondering if I understood the current rules fine because based on my
understanding, I would have expected warnings for these too.

A noteworthy change is
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/2016303 : it would
access to /etc/nss . I don't know if NSS silently ignores inaccessible
system-wide configuration or not. You might want to include it already.

I think all these libraries should probably fail on EPERM. Probably 0
change upstreams accept such a change if it's needed however. :P

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/2056739

Title:
  apparmor="DENIED" operation="open" class="file" profile="virt-aa-
  helper" name="/etc/gnutls/config"

Status in apparmor package in Ubuntu:
  New
Status in chrony package in Ubuntu:
  New
Status in gnutls28 package in Ubuntu:
  New
Status in libvirt package in Ubuntu:
  New
Status in apparmor source package in Noble:
  New
Status in chrony source package in Noble:
  New
Status in gnutls28 source package in Noble:
  New
Status in libvirt source package in Noble:
  New

Bug description:
  Christian summarizes this after the great reports by Martin:

  gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3
  and added more later.

  Due to that anything linked against gnutls while being apparmor
  isolated now hits similar denials, preventing the desired effect of
  the config change BTW.

  I think for safety we WANT to always allow this access, otherwise
  people will subtly not have crypto control about the more important
  (those isolated) software. Because after the denial I'd expect this to
  not really disable it in the program linked to gnutls (details might
  vary depending what they really use gnutls for).

  I do not nkow of a gnutls abstraction to use, but TBH I'm afraid now
  fixing a few but leaving this open in some others not spotted.

  I'd therefore suggest, but we need to discuss, to therefore change it
  in /etc/apparmor.d/abstractions/base.

  Therefore I'm adding gnutls (and Adrien) as well as apparmor to the
  bug tasks.

  
  --- --- --- --- --- --- --- --- --- --- --- ---
  --- --- --- --- --- --- --- --- --- --- --- ---

  
  Merely booting current noble cloud image with "chrony" installed causes this:

  audit: type=1400 audit(1710152842.540:107): apparmor="DENIED"
  operation="open" class="file" profile="/usr/sbin/chronyd"
  name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r"
  denied_mask="r" fsuid=0 ouid=0

  
  --- --- --- --- --- --- --- --- --- --- --- ---
  --- --- --- --- --- --- --- --- --- --- --- ---

  
  Running any VM in libvirt causes a new AppArmor violation in current noble. This is a regression, this didn't happen in any previous release.

  Reproducer:

    virt-install --memory 50 --pxe --virt-type qemu --os-variant
  alpinelinux3.8 --disk none --wait 0 --name test1

  (This is the simplest way to create a test VM. But it's form or shape
  doesn't matter at all).

  Results in lots of

  audit: type=1400 audit(1710146677.570:108): apparmor="DENIED"
  operation="open" class="file" profile="virt-aa-helper"
  name="/etc/gnutls/config" pid=1480 comm="virt-aa-helper"
  requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  libvirt-daemon 10.0.0-2ubuntu1
  apparmor 4.0.0~alpha4-0ubuntu1
  libgnutls30:amd64 3.8.3-1ubuntu1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions

More information about the foundations-bugs mailing list