apparmor: allow to read /proc/self/map_files #12547
Conversation
sergio-costas
force-pushed
the
DT-1026-add-read-support-for-proc-self-map-files
branch
2 times, most recently
from
e3b4b5a to
ad5e3d5
Compare
alexmurray
added
the
Needs security review
There was a problem hiding this comment.
Hmm unfortunately there is no way to restrict this to just processes of the snap itself - as such, even if you were to also add the owner keyword as is done for the proc/pid/maps entry above, a snap would still be able to read the contents of this directory for other snaps running as the same user.
As such it would make more sense for this to be added to the system-observe interface I think.
@alexmurray Mmm... Are you sure? I mean: we are restricting it to the PID of the running process, not to the user UID... It's exactly the same than the previous line with the "maps" file (in fact, both have the same information)... In fact, I did a and inside there I can see the contents of the "maps" file and "map_files" folder for the firefox PID, but not for the mattermost PID... |
|
AppArmor does not (yet) support restricting to just the PID of the process via the As such I still think this is not appropriate for the base template and instead should be in the |
|
@alexmurray Did you try to do a "cat /proc/XXXX/maps"? You can read only the file for your PID, but can't read the contents for other processes' PIDs... and it contains the same info than map_files folder, that's what I mean. Anyway, if you insist in that it should be in system-observe, I can move it: we need it for steam, and it uses that interface too. |
|
@alexmurray My point is that, according to https://www.kernel.org/doc/html/latest/filesystems/proc.html , map_files was added to avoid having to parse the contents of the "maps" file, so if a process can read /proc/XXXX/maps, it should also be able to list the contents of /proc/XXXX/map_files. This is what this patch intends to do for containerized apps... |
|
I agree that if a process can read so this is not equivalent. And also now that I look at which makes me think that this is not even appropriate for |
|
@alexmurray Mmm... odd... Then, why I can access /proc/XXXX/maps with the off-the-shelf snapd? |
That is a very good question - @jrjohansen do you have any ideas? I can't see anything in the generated apparmor profile for a snap that would allow this but it is definitely possible - and when it is denied I see a ptrace denial in the journal log
And in the journal log we see a ptrace denial: Yet even for the original reads of |
|
Its because abstractions/base is granting access with the rule @{PROC}/@{pid}/{maps,auxv,status} r, and currently apparmor is using a place holder regex for @{pid} instead of doing an actual pid check within the pattern (which is a wip feature). Realistically /proc/self/maps should not be allowed by abstractions base and that should require a different abstraction. |
|
I can add that map_files won't get added to abstraction/base and maps should be pulled in the next major release |
|
@jrjohansen It makes sense, yes... So, where should them be added (I can send patches)? "system-observer"? "process-control"? A new interface? (I don't think it should go in "steam-support", since it's not really for steam, but for a FPS indicator: mangohud, and it can be useful for other programs). |
Hmmm I am wary of breaking stuff that was using and expecting access to @sergio-costas so to try and resolve your original issue - do you know why mangohud wants to be able to read this? |
|
@jrjohansen hmm although looking at the base abstraction it has the following comment: if this is removed from future AppArmor releases will this break these printf() protections? Should this perhaps at least be restricted by |
@alexmurray so being removed is a gradual process, and exactly what we can get away without breaking everything is a good question. It is likely that how this is going to happen atm is the above rule is replaced with an abstraction that is effectively the same with owner on it. But the reality is we don't want this on by default for every task even if it breaks glibc's printf protections because we want to be able to express profiles that don't have it. |
|
@alexmurray It is used in two places of the code: one to detect vkbasalt (a Vulkan post-processing layer) and gamemode
and in other place, to check if an specific library has been loaded:
This last one is used to detect if wine3d, libtogl, libtogl_client or libvulkan are being loaded. It seems that it's to avoid some issues in some specific libraries. |
There was a problem hiding this comment.
Ok so thinking about this a bit more, since we already allow /proc/PID/maps in the base abstraction for AppArmor and this has been available for a long time in the base template for snaps, I think it is fine to add this to the base template for snaps using the owner conditional to try and limit the impact. Given the kernel also protects access to this with ptrace this also limits the exposure. However it would be good to add a comment just above this that explains how the base abstraction in AppArmor already allows read of /proc/pid/maps and so this is just an extension of that.
|
@alexmurray Done. Please, check it. |
There was a problem hiding this comment.
LGTM - thanks for working through this @sergio-costas 🙏
Oops - I just realised that we also need to add access to all the files under the directory too - so this should instead be:
owner @{PROC}/@{pid}/map_files/{,*} r,
Doh - on second thought, no I don't think we do need this - please leave it as you already have it.
Are you sure? I mean: the info is really the directory list, not the content of the files. Just check the contents of the corresponding maps file... I'll do a test to ensure that read access is not needed to see the destination of the soft link, but that's the only thing that I think that maybe would require read access... (in fact, mangohud works great just with the current patch; it doesn't need read access to the files inside) |
|
Ops... just read now your edited comment :-D |
|
Confirmed: with the current patch it is possible to read the destination file for each link, which is all that is needed. No read access for the children is needed. |
Accesing this folder is needed for mangohud. Since the info there is basically the same than in /proc/self/maps, but it's easier to access because the program doesn't have to parse it, it should be safe.
Added a comment explaining why it is secure to allow to access this folder.
sergio-costas
force-pushed
the
DT-1026-add-read-support-for-proc-self-map-files
branch
from
fb3d3a6 to
6adc6fc
Compare
alexmurray
removed
the
Needs security review
* apparmor: allow to read /proc/self/map_files Accesing this folder is needed for mangohud. Since the info there is basically the same than in /proc/self/maps, but it's easier to access because the program doesn't have to parse it, it should be safe. * Add "owner" modifier * Add comment explaining security details Added a comment explaining why it is secure to allow to access this folder. * Fixed comment.
Accesing this folder is needed for mangohud. Since the info there is basically the same than in /proc/self/maps, but it's easier to access because the program doesn't have to parse it, it should be safe.