Apparmor support #286
Apparmor support #286
Conversation
There was a problem hiding this comment.
Thanks a lot for doing this! Some basic questions on the code inline, but it generally it looks good. I intend to merge this when I find the time to properly review this. But it will not make the next release, as I really need to tag that as soon as possible.
The second patch is quite big and could easily be split in lots of smaller ones. This would make reviewing a lot easier and make me more confident I don't miss anything. I can pick the patch apart myself and apply the changes individually, if you prefer. But if you want to do that yourself, please go ahead. I don't mind either way.
Again, thanks for looking into this!
src/util/apparmor.c
Outdated
| const char *mode; /* AppArmor confinement mode (freed by freeing *label) */ | ||
| }; | ||
|
|
||
| static struct BusAppArmorConfinement *bus_con = NULL; |
There was a problem hiding this comment.
Any particular reason this is a global variable rather than part of struct Bus? For SELinux we need the global context, because they did not provide any context object in libselinux. But if possible, I would avoid any *_init_global() functions.
src/bus/policy.h
Outdated
| @@ -162,16 +166,21 @@ int policy_snapshot_dup(PolicySnapshot *snapshot, PolicySnapshot **newp); | |||
| int policy_snapshot_check_connect(PolicySnapshot *snapshot); | |||
| int policy_snapshot_check_own(PolicySnapshot *snapshot, const char *name); | |||
| int policy_snapshot_check_send(PolicySnapshot *snapshot, | |||
| const char *subject_context, | |||
| const char *sender_context, | |||
There was a problem hiding this comment.
The sender context should be taken from snapshot (see snapshot->seclabel). Otherwise, you will query the context too late. Note that the point of the policy-snapshot is to snapshot all sender information at a particular time, and then later check whether it matches. This is used for activation messages where sender and receiver information is not available simultaneously. If this does not work for apparmor, this needs to be somehow documented.
src/util/apparmor.c
Outdated
|
|
||
| /* XXX: we don't have access to any context, so can't find | ||
| * the right UID to use, follow dbus-daemon(1) and use our | ||
| * own. */ |
There was a problem hiding this comment.
Why can't we pass the context in? I don't understand this comment. Which context would be needed?
There was a problem hiding this comment.
I took over that function incl. the comment from the dbus-broker SELinux implementation without investigating further (and adapted it for apparmor).
|
Thanks for having a look at it. I will check the things you pointed out next week and also try to figure out a way to split the second patch into smaller chunks. |
|
@sre Is there a link to the patch review on lore for the revised patch slated for 5.19 yet? |
No, not that I'm aware of. |
meson.build
Outdated
| if use_apparmor | ||
| dep_libapparmor = dependency('libapparmor', version: '>=3.0') | ||
| endif | ||
|
|
There was a problem hiding this comment.
I moved this above the audit-check, since apparmor is before audit in alphabetical order ;)
meson_options.txt
Outdated
| @@ -1,3 +1,4 @@ | |||
| option('apparmor', type: 'boolean', value: false, description: 'AppArmor support') | |||
| option('audit', type: 'boolean', value: false, description: 'Audit support') | |||
There was a problem hiding this comment.
Here it was in the correct order :)
src/bus/driver.c
Outdated
| case POLICY_E_SELINUX_ACCESS_DENIED: | ||
| return BUS_LOG_POLICY_TYPE_SELINUX; | ||
| default: | ||
| return BUS_LOG_POLICY_TYPE_INTERNAL; |
There was a problem hiding this comment.
I did some re-ordering all over the place to stay consistent with the order the enum is defined. So first check INTERNAL (if it applies), then SELINUX, and APPARMOR last. Not a big deal, just for consistency.
src/bus/driver.c
Outdated
| case POLICY_E_ACCESS_DENIED: | ||
| case POLICY_E_APPARMOR_ACCESS_DENIED: | ||
| case POLICY_E_SELINUX_ACCESS_DENIED: | ||
| { |
There was a problem hiding this comment.
I know we have a mixed style of switch and if clauses, but I think I prefer the if-clause here. I fixed it up everywhere. I also added the same errno-check to all instances of policy_snapshot_check_{send,receive}, you missed one in driver.c. I also changed it to always check for SELINUX as well. Technically, SELINUX only checks for SEND, not RECEIVE, but the callsite should be consistent, imho. No reason to be overly pedantic there, it just makes it a lot harder to argue about it, and nothing really technically prevents us from adding selinux checks to recv as well.
src/launch/policy.h
Outdated
| @@ -114,6 +115,7 @@ struct Policy { | |||
| .gid_tree = C_RBTREE_INIT, \ | |||
| .selinux_list = C_LIST_INIT((_x).selinux_list), \ | |||
| .apparmor_mode = CONFIG_APPARMOR_ENABLED, \ | |||
| .bus_type = CONFIG_BUS_TYPE_SYSTEM, \ | |||
There was a problem hiding this comment.
Is system actually the default? The man-page doesn't mention it, and I didn't check the dbus sources. Did you?
There was a problem hiding this comment.
No, I did not check when writing this and totally forgot about it. I just did check dbus-daemon. Apparently it supports arbitrary bus types incl. the bus type being empty and then has special handling for "session" and "system". So parsing needs to go and instead the string should be used directly.
There was a problem hiding this comment.
Yeah, I think we need to avoid parsing it and just send it through, indeed.
src/util/apparmor.c
Outdated
| if (f) { | ||
| errno = 0; | ||
| if (!fgets(buffer, sizeof(buffer), f)) { | ||
| if (ferror(f) && errno != EINVAL) |
There was a problem hiding this comment.
I assume this EINVAL check was copy-pasted. Looks like an error. I dropped it. If it was intentional, let me know! I also dropped it from the old is_enabled() code.
Thanks, the changes look fine to me.
I just rebased the pull-request to current HEAD dropping the merged patches (no other changes) and the branch is still working. I will look into the CI issues and the bus_type problem. |
src/bus/policy.h
Outdated
| @@ -173,6 +173,8 @@ int policy_snapshot_check_send(PolicySnapshot *snapshot, | |||
| bool broadcast, | |||
| size_t n_fds); | |||
| int policy_snapshot_check_receive(PolicySnapshot *snapshot, | |||
| const char *sender_seclabel, | |||
| const char *receiver_seclabel, | |||
There was a problem hiding this comment.
snapshot->seclabel is equivalent to receiver_seclabel. You only need to pass in sender_seclabel. See *_check_send() and the SELinux path for an example.
There was a problem hiding this comment.
I dropped it myself and pushed the patch!
src/bus/policy.c
Outdated
| @@ -1082,6 +1114,16 @@ int policy_snapshot_check_receive(PolicySnapshot *snapshot, | |||
| size_t n_fds) { | |||
| PolicyVerdict verdict = POLICY_VERDICT_INIT; | |||
| size_t i; | |||
| int r; | |||
|
|
|||
| r = bus_apparmor_check_xmit(snapshot->apparmor, false, sender_seclabel, receiver_seclabel, | |||
There was a problem hiding this comment.
This is now: subject_seclabel, snapshot->seclabel, rather than sender_seclabel, receiver_seclabel
src/util/apparmor.c
Outdated
| int bus_apparmor_set_bus_type(BusAppArmorRegistry *registry, const char* bustype) { | ||
| registry->bustype = strdup(bustype); | ||
| if (!registry->bustype) | ||
| return -ENOMEM; |
src/util/apparmor.c
Outdated
| r = -EINVAL; | ||
| } | ||
|
|
||
| return r; |
There was a problem hiding this comment.
Uff. This is slow. I mean, we optimized everything so we have a single allocation per message transaction. Now the apparmor code adds one allocation per name the receiver and sender own. I am fine keeping the code, but man those LSMs really drag things down. Makes me a bit sad :-/
src/util/apparmor.c
Outdated
| return 0; | ||
|
|
||
| if (!condup) | ||
| return -ENOMEM; |
There was a problem hiding this comment.
error_origin(-ENOMEM), and I would suggest moving the strdup() out of the variable declaration.
src/util/apparmor.c
Outdated
| return error_origin(-errno); | ||
|
|
||
| if (audit) | ||
| bus_apparmor_log("apparmor=\"%s\" operation=\"dbus_bind\" bus=\"%s\" name=\"%s\"", allowstr(allow), registry->bustype, name); |
There was a problem hiding this comment.
bustype can contain quotes ", right? At least if we take it unmodified from the configuration. Probably doesn't matter much, though.
src/util/apparmor.h
Outdated
| enum { | ||
| _APPARMOR_E_SUCCESS, | ||
|
|
||
| APPARMOR_E_DENIED, |
There was a problem hiding this comment.
Can you prefix these with BUS_APPARMOR_*? The reason for the BUS_* prefix in selinux was that we do not want to conflict with selinux names, which sometimes start with selinux_*. I think the same is warranted for apparmor for consistency, even if the library uses aa_* as prefix (otherwise we should really drop it from the functions as well).
There was a problem hiding this comment.
I now pushed this with a bunch of fixups on top. This still lacks the last commit (handling apparmor in the launcher, though). Note that I am not really sure that this currently matches the behavior of dbus-daemon. I will try to align it with dbus-daemon later. In the meantime, if you have any comments on the code I pushed, let me know. I tried to implement everything that I mentioned inline in this PR.
src/bus/driver.c
Outdated
| if (r) | ||
| return r; |
There was a problem hiding this comment.
| if (r) | |
| return r; | |
| else if (r) | |
| return error_fold(r); |
Crossing error-namespaces, so this needs to be folded.
src/bus/policy.c
Outdated
| r = bus_apparmor_set_bus_type(registry->apparmor, bustype ? bustype : ""); | ||
| if (r) | ||
| return error_trace(r); |
There was a problem hiding this comment.
| r = bus_apparmor_set_bus_type(registry->apparmor, bustype ? bustype : ""); | |
| if (r) | |
| return error_trace(r); | |
| r = bus_apparmor_set_bus_type(registry->apparmor, bustype); | |
| if (r) | |
| return error_fold(r); |
bustype cannot be NULL, and the error needs to be folded, as this is a different error-namespace.
There was a problem hiding this comment.
I think this entire construct needs to drop the if (apparmor) and then use apparmor ? bustype : NULL as argument to set_bus_type(), right?
src/launch/config.c
Outdated
| state->current->bus_type.type = CONFIG_BUS_TYPE_SESSION; | ||
| else | ||
| CONFIG_ERR(state, "Unknown bus type", ": %s", state->current->cdata); | ||
| state->current->bus_type.type = strdup(state->current->cdata); |
There was a problem hiding this comment.
This needs to be freed in config_node_free().
src/util/apparmor-fallback.c
Outdated
| @@ -11,6 +11,7 @@ | |||
| #include <stdio.h> | |||
| #include <stdlib.h> | |||
| #include "util/apparmor.h" | |||
| #include "util/error.h" | |||
There was a problem hiding this comment.
Spurious include that is not needed, right?
src/util/apparmor.c
Outdated
| @@ -93,3 +105,446 @@ int bus_apparmor_dbus_supported(bool *supportedp) { | |||
| *supportedp = supported; | |||
| return 0; | |||
| } | |||
|
|
|||
| static inline bool is_apparmor_enabled(BusAppArmorRegistry *registry) { | |||
| return registry->bustype ? true : false; | |||
There was a problem hiding this comment.
| return registry->bustype ? true : false; | |
| return registry->bustype; |
src/util/apparmor.c
Outdated
| } | ||
|
|
||
| static bool is_unconfined(const char *context) { | ||
| return !strcmp(context, "unconfined"); |
There was a problem hiding this comment.
dbus-daemon checks for the mode to be equal to unconfined, or unset and the label equal to unconfined. Any particular reason this is different?
src/util/apparmor.c
Outdated
| interface, method, allow, &audit_tmp); | ||
| if (r < 0) | ||
| return r; | ||
| if (!allow) |
src/util/apparmor.c
Outdated
| if (!allow) | ||
| return r; | ||
| if (audit_tmp) | ||
| *audit = 1; |
There was a problem hiding this comment.
Shouldn't this conditional be before checking allow?
src/util/apparmor.c
Outdated
|
|
||
| if (!is_apparmor_enabled(registry)) | ||
| return 0; | ||
|
|
There was a problem hiding this comment.
Why does this function not check against unconfined like the others and dbus-daemon do?
src/util/apparmor.c
Outdated
| * or a negative error code on failure. | ||
| */ | ||
| int bus_apparmor_check_xmit(BusAppArmorRegistry *registry, | ||
| bool check_send, |
There was a problem hiding this comment.
dbus-daemon only ever checks on send, why do we have two calls one for send and one for receive?
Maybe this is a confusion where dbus-daemon checks both for sending and receival in a single call, but that is not the case. Checking at send and receive is different to checking the receiver during send. I think this should be bus_apparmor_check_send() just like selinux does.
|
I am quite confused now where you got the transmission checks from. dbus-daemon simply checks with the destination-string and source-unique-id, but your code iterates the set of names on the destination. This will very easily break existing AppArmor rules. I also don't understand why that change was done. Is there any reason not to imitate what dbus-daemon does? That is, I would make apparmor check whether the sender is allowed to send to the destination used in the message. Then check whether the receiver is allowed to receive from the unique-id of the sender. If either is false, refuse the transmission. I can implement this, but I want to make sure you agree on that, and that this is indeed the intended behavior? |
| } else if (*apparmor_mode == CONFIG_APPARMOR_REQUIRED) { | ||
| if (!enabled || !supported) { | ||
| fprintf(stderr, "AppArmor required, but not supported. Exiting.\n"); | ||
| *apparmor_mode = CONFIG_APPARMOR_REQUIRED; |
There was a problem hiding this comment.
I expected to see a negative return value here, or perhaps an exit(3) or _exit(2) call.
There was a problem hiding this comment.
exit is handled outside of this function on line 1250
perhaps the fprintf on line 1196 should move between lines 1250 and 1251 ?
src/bus/policy.c
Outdated
| if (r) { | ||
| if (r == BUS_APPARMOR_E_DENIED) | ||
| return POLICY_E_APPARMOR_ACCESS_DENIED; | ||
|
|
There was a problem hiding this comment.
Are there other return values that mean "don't grant access"? eg. "internal error" or "silently deny" or similar? This currently feels like a 'fail open' way to write this check. (And two more later.)
There was a problem hiding this comment.
This is a translation of error codes from one domain to another. If we happen to forget converting one, the result is the following error_fold(), which takes any unhandled error and turns it into a fatal error code. Hence, the worst that can happen is that we end up exiting, rather than just refusing the message-transaction. Not good, but also we do not accidentally fail the security check.
src/util/apparmor.c
Outdated
|
|
||
| if (is_complain(security_mode)) | ||
| allow = 1; | ||
|
|
There was a problem hiding this comment.
Should this allow = 1 block be moved above the bus_apparmor_log() call, so that the allowstr(allow) generates an output that matches the decision?
src/util/apparmor.c
Outdated
| bus_apparmor_log("apparmor=\"%s\" operation=\"dbus_eavesdrop\" bus=\"%s\" label=\"%s\"", allowstr(allow), registry->bustype, context); | ||
|
|
||
| if (is_complain(security_mode)) | ||
| allow = 1; |
There was a problem hiding this comment.
A similar question here, should this be moved above the logging line, so the string matches the result?
src/util/apparmor.c
Outdated
|
|
||
| if (src_audit) { | ||
| bus_apparmor_log(registry, | ||
| "apparmor=\"%s\" bus=\"%s\" path=\"%s\" interface=\"%s\" method=\"%s\" " |
There was a problem hiding this comment.
I realize the previous code already did this but the AppArmor log parsing tools expects "method" to be "member" instead
There was a problem hiding this comment.
I created a PR in AppArmor so we can parse method the same way as member so no change is needed here :)
src/util/apparmor.c
Outdated
| if (src_audit) { | ||
| bus_apparmor_log(registry, | ||
| "apparmor=\"%s\" bus=\"%s\" path=\"%s\" interface=\"%s\" method=\"%s\" " | ||
| "label=\"%s\" peer_label=\"%s\"", |
There was a problem hiding this comment.
I believe the denied mask is missing. It should look like
mask="send" for when send is denied and
mask="receive" for when receive is denied.
name="" is also missing
There was a problem hiding this comment.
Ah, I also noticed that operation="dbus_method_call" is missing here
There was a problem hiding this comment.
Thanks for the review, I added mask and operation. Logging name is non-trivial, since dbus-broker has a NameSet possibly containing multiple names.
Checking if the destination is allowed to receive during send time is not the same as checking if a message is allowed to be received at receive time. Fix this by following the dbus-daemon implementation more closely and handle everything in bus_apparmor_check_send(). Reported-by: David Rheinsberg <david.rheinsberg@gmail.com> Fixes: 8b1e969 ("util/apparmor: add apparmor support") Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Log failing apparmor checks as accepted when in complain mode for consistency. Reported-by: Seth Arnold <seth.arnold@canonical.com> Fixes: 8b1e969 ("util/apparmor: add apparmor support") Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
All required AppArmor support code has landed, so enable it in the launcher. Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Improve logging for compatibility with AppArmor log parsing tools: * Add denied mask to the send/receive/bind log messages * Add operation to the send/receive log messages Reported-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
sre
force-pushed
the
apparmor-support
branch
from
3372194
to
45fa235
Compare
|
From an AppArmor perspective, this LGTM. We updated our regression tests upstream and they are passing with these patches. |
In the [merge request that adds AppArmor support on D-Bus Broker](bus1/dbus-broker#286), the word "method" is used instead of "member" on the auditing logs. So we are adding support to parse "method" the same way as "member" on D-Bus audit logs. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/958 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
In the [merge request that adds AppArmor support on D-Bus Broker](bus1/dbus-broker#286), the word "method" is used instead of "member" on the auditing logs. So we are adding support to parse "method" the same way as "member" on D-Bus audit logs. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/958 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit a96fa35) Signed-off-by: John Johansen <john.johansen@canonical.com>
In the [merge request that adds AppArmor support on D-Bus Broker](bus1/dbus-broker#286), the word "method" is used instead of "member" on the auditing logs. So we are adding support to parse "method" the same way as "member" on D-Bus audit logs. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/958 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit a96fa35) Signed-off-by: John Johansen <john.johansen@canonical.com>
In the [merge request that adds AppArmor support on D-Bus Broker](bus1/dbus-broker#286), the word "method" is used instead of "member" on the auditing logs. So we are adding support to parse "method" the same way as "member" on D-Bus audit logs. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/958 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit a96fa35) Signed-off-by: John Johansen <john.johansen@canonical.com>
There was a problem hiding this comment.
Hi @dvdhrm o/
@gegarcia and @setharnold from AppArmor have ACKd this PR
there is one outstanding review request that might be resolved by moving a line
| } else if (*apparmor_mode == CONFIG_APPARMOR_REQUIRED) { | ||
| if (!enabled || !supported) { | ||
| fprintf(stderr, "AppArmor required, but not supported. Exiting.\n"); | ||
| *apparmor_mode = CONFIG_APPARMOR_REQUIRED; |
There was a problem hiding this comment.
exit is handled outside of this function on line 1250
perhaps the fprintf on line 1196 should move between lines 1250 and 1251 ?
|
As far as I can tell the CI is currently unaware of AppArmor in the sense that (I'm not sure it should be fixed here but I think it should be fixed one way or another). |
|
looks like arch is adopting dbus-broker as default. any chance this can be merged? |
|
Arch kernels don't have apparmor dbus mediation patches so included so this is irrelevant. |
I don't see how that can be, but I'm not an expert. Per https://wiki.archlinux.org/title/AppArmor I have it enabled and running, a service loaded, a kernel option enabled, aa-enabled returns true, I see "DENIED" in my logs sometimes, etc. |
|
The required AppArmor features to get D-Bus message security policies working are not part of upstream linux kernels. Basic AppArmor support has been included in upstream kernels, though. So to get AppArmor working with |
Hi,
This adds support for AppArmor using libapparmor and the Ubuntu kernel patch
requested in #169. For the implementation dbus-daemon has been used as reference.
The patchset handles restriction of all common DBus operations (sending, receiving,
bus owning and monitoring) - just like dbus-daemon.
Note, that the downstream kernel patch is no longer limited to Ubuntu. It has been
applied to some kernels used in the embedded sector. Missing support for AppArmor
is the limiting factor to switch from dbus-daemon to dbus-broker on these embedded
systems and the reason I wrote this code.
Regarding the status of the kernel patch required for this support: The main reason,
that the kernel is still missing support for kernel based af_unix/dbus meditation is a
pending code restructuring that got postponed for multiple years. Current expectation
is, that this restructuring finally happens in the 5.19 cycle (fingers crossed).
-- Sebastian