snappy-hwe-snaps

[network-manager] apparmor denails occur when using dbus api

Bug #1797194 reported by Eric Stutzenberger
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
snappy-hwe-snaps
Fix Released
Medium
Alfonso Sanchez-Beato

Bug Description

When using the `network-manager` D-Bus api, some nuisance apparmor denials are occurring. It seems like `network-manager` is trying to get process information about the snap making the request though I am not sure why:

Oct 10 17:57:45 localhost audit[1832]: AVC apparmor="DENIED" operation="ptrace" profile="snap.network-manager.networkmanager" pid=1832 comm="NetworkManager" requested_mask="trace" denied_mask="trace" peer="<redacted>"
Oct 10 17:57:45 localhost kernel: audit: type=1400 audit(1539194265.894:18816): apparmor="DENIED" operation="ptrace" profile="snap.network-manager.networkmanager" pid=1832 comm="NetworkManager" requested_mask="trace" denied_mask="trace" peer="<redacted>"
Oct 10 17:57:45 localhost audit[1832]: AVC apparmor="DENIED" operation="ptrace" profile="snap.network-manager.networkmanager" pid=1832 comm="NetworkManager" requested_mask="trace" denied_mask="trace" peer="<redacted>"
Oct 10 17:57:45 localhost kernel: audit: type=1400 audit(1539194265.924:18817): apparmor="DENIED" operation="ptrace" profile="snap.network-manager.networkmanager" pid=1832 comm="NetworkManager" requested_mask="trace" denied_mask="trace" peer="<redacted>"

Note: I changed the above hostname to localhost and redacted the peer snap name since this is part of our company's infrastructure.

See original description
Tony Espy (awe)
Changed in snappy-hwe-snaps:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Tony Espy (awe) wrote :

The ptrace denials are a known issue, and were in fact noted as harmless in bug #1602383. We've done a code inspection of NetworkManager itself, and found no usage of ptrace. Likewise an informal review of all NM dependencies was done, and the offending code wasn't located. This was also re-visited recently during development of the NM 1.10 snap, and the only usage of ptrace found in any of NM's dependencies was in libc6 itself, so ptrace may being called indirectly via libc6.

I've set the priority to Medium as there've been no functional side-effects observed due to these denials to-date.

Eric Stutzenberger (estutzenberger)
description: updated
Revision history for this message
Eric Stutzenberger (estutzenberger) wrote :

Unfortunately, while they are harmless from a system perspective, they do cause nuisance log messages.

While this is not so bad itself, it does mean that our customers see them and think there is a problem. In general, app armor denials are not great. Their confusion at these messages requires us to craft additional explanations and reduces their confidence.

Would it make sense to simply give network manager the permissions it needs to perform the `ptrace` operation until the root of the issue is discovered?

Revision history for this message
Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote :

I have taken a shot at this one. The root reason for the denials is not really calling ptrace, but accessing the /proc/<pid>/stat file from the process that calls NM using the DBus interface (see [1] for more information). This apparmor denial is triggered only when the caller process uid is root, for instance 'sudo nmcli' triggers the denial while 'nmcli' does not.

What apparmor does is to deny access to some parts of the 'stat' file that contains addresses internal to the process. But NM just wants to read the process start time, for some security related checks (polkit), and in fact the 'read' syscalls that NM executed finish successfully, just filling with 0s the sensitive addresses.

In summary, NM does not need ptrace permissions at all to work correctly and the denials are harmless, but at the same time we cannot avoid them. The solution is to silence them, and in fact the network-manager interface had already a 'deny ptrace' entry, but unfortunately it was not in the right place. This should be solved by this MP:

https://github.com/snapcore/snapd/pull/6975

[1] https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace

Changed in snappy-hwe-snaps:
assignee: nobody → Alfonso Sanchez-Beato (alfonsosanchezbeato)
status: Confirmed → In Progress
Alfonso Sanchez-Beato (alfonsosanchezbeato)
Changed in snappy-hwe-snaps:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.