Ubuntu
sssd package

missing lines in apparmor config for sssd

Bug #1999190 reported by Kartik Subbarao
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
Undecided
Michał Małoszewski
Jammy
Triaged
Low
Unassigned

Bug Description

[Impact]

* Users of sssd reported extraneous ALLOWED messages from apparmor in /var/log/syslog while trying to login to the server via ssh.

* This crash is caused by the lack of some entries in apparmor-profile file.
The fix is to add:
- #include <abstractions/openssl>
- @{PROC}/[0-9]*/cmdline r,
- /var/lib/sss/mc/* rwk,
- /{,var/}run/systemd/users/* r,
in the right order to the apparmor-profile file.

[Test Plan]

lxc launch ubuntu:22.04 test1
lxc shell test1

1. # apt install slapd ldap-utils -y
2. # dpkg-reconfigure slapd
3. # apt install sssd
4. # vim /etc/ssh/sssd.conf
5. Enter configuration that fits to your system.
6. # systemctl restart sssd
7. # systemctl enable sssd
8. Exit the container.
9. SSH into that container.
10. Check /var/log/syslog.

Example of failed output:

Oct 16 18:55:31 ubuntu2204.example.com kernel: [171965.873242] audit: type=1400 audit(1673538673.812:1220): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/12345" pid=712698 comm="sssd_pam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Dec 16 18:55:31 ubuntu2204.example.com kernel: [174187.653158] audit: type=1400 audit(1679438151.423:1221): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/770129/cmdline" pid=712735 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Example of successful output:

No apparmor messages like these present.

[Where problems could occur]

* @{PROC}/[0-9]*/cmdline r, - the line that has been added allows SSSD processes to read the /proc/[pid]/cmdline files for other processes. Reading it provides access to the cmdline arguments of other processes, but it might be the issue in the future that this access is not used appropriately and exposes sensitive information, however it is unlike.

* There is additional possible regression related to the:
-/{,var/}run/systemd/users/* r,
there might be regression related to user sessions managed by systemd.

-------------------------original bug report------------------------------------

I noticed these kinds of extraneous ALLOWED messages from apparmor in /var/log/syslog:

=====
Dec 8 15:24:33 ubuntu2204.example.com kernel: [171969.873642] audit: type=1400 audit(1670538273.822:1820): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/12345" pid=727740 comm="sssd_pam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Dec 8 15:24:51 ubuntu2204.example.com kernel: [171987.659148] audit: type=1400 audit(1670538291.605:1821): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/770129/cmdline" pid=727739 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
=====

As a workaround to silence these, I added the following lines to /etc/apparmor.d/local/usr.sbin/sssd:

@{PROC}/[0-9]*/cmdline r,
/run/systemd/users/* r,

I'm guessing the proper fix is to add these lines to /etc/apparmor.d/usr.sbin.sssd in the package.

See original description

Related branches

~sergiodj/ubuntu/+source/sssd:merge-2.9.4-1.1-noble
git-ubuntu bot: Approve
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 569 lines (+405/-4)
3 files modified
debian/apparmor-profile (+4/-1)
debian/changelog (+397/-0)
debian/control (+4/-3)
~sergiodj/ubuntu/+source/sssd:merge-2.9.2-1-noble
git-ubuntu bot: Approve
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 581 lines (+377/-10)
6 files modified
debian/apparmor-profile (+4/-1)
debian/changelog (+353/-0)
debian/control (+4/-3)
debian/tests/control (+4/-6)
debian/tests/sssd-smart-card-pam-auth-configs-tester.sh (+6/-0)
debian/tests/sssd-softhism2-certificates-tests.sh (+6/-0)
~michal-maloszewski99/ubuntu/+source/sssd:sssd-jammy-missing-lines-in-apparmor
Lucas Kanashiro (community): Needs Information
git-ubuntu import: Pending requested
Diff: 53 lines (+12/-1)
2 files modified
debian/apparmor-profile (+4/-1)
debian/changelog (+8/-0)
~michal-maloszewski99/ubuntu/+source/sssd:ubuntu/devel
git-ubuntu bot: Approve
Sergio Durigan Junior (community): Approve
Canonical Server Reporter: Pending requested
Diff: 53 lines (+12/-1)
2 files modified
debian/apparmor-profile (+4/-1)
debian/changelog (+8/-0)
Revision history for this message
Kartik Subbarao (subbarao) wrote :

This is with Ubuntu 22.04.

Revision history for this message
Lena Voytek (lvoytek) wrote :

Hello,

Thank you for the bug report. Your fix for suppressing the apparmor messages looks good. How often did these messages come up for you beforehand? Also did you have any other issues alongside the logs?

Thanks

Changed in sssd (Ubuntu Jammy):
status: New → Confirmed
Revision history for this message
Kartik Subbarao (subbarao) wrote :

I saw these messages whenever I tried to login to that server via ssh, but I didn't run into any issues with the functionality. There is a symlink to sssd's apparmor config in /etc/apparmor.d/force-complain, so I'm guessing that's why it's being verbose. It's pointing out requests that aren't explicitly covered by the apparmor config.

Revision history for this message
Lena Voytek (lvoytek) wrote (last edit ):

Thanks for the response. I agree that this is a valid bug, but may be difficult to add to 22.04 since it only causes extra logs to show up. I'll mark it as low priority for now. For the development release, however, I think this would be a good thing to make sure to fix.

Changed in sssd (Ubuntu Jammy):
importance: Undecided → Wishlist
importance: Wishlist → Low
Revision history for this message
Kartik Subbarao (subbarao) wrote :

Understood, thanks.

Revision history for this message
Kartik Subbarao (subbarao) wrote :

Found a few more that I'm working around as follows:

/etc/ssl/openssl.cnf r,
/var/lib/sss/mc/* rwk,

[...] apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/passwd" pid=10407 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[...] apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=10407 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[...] apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/group" pid=10407 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
[...] apparmor="ALLOWED" operation="file_lock" profile="/usr/sbin/sssd" name="/var/lib/sss/mc/initgroups" pid=10407 comm="sssd_nss" requested_mask="k" denied_mask="k" fsuid=0 ouid=0

Revision history for this message
Alex Murray (alexmurray) wrote :

> /etc/ssl/openssl.cnf r,

Instead you should probably just add

#include <abstractions/openssl>

Revision history for this message
Kartik Subbarao (subbarao) wrote :

Cool, thanks for the tip.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu):
status: New → Confirmed
Michał Małoszewski (michal-maloszewski99)
Changed in sssd (Ubuntu):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Changed in sssd (Ubuntu Jammy):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Michał Małoszewski (michal-maloszewski99)
tags: added: server-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 2.9.1-2ubuntu2

---------------
sssd (2.9.1-2ubuntu2) mantic; urgency=medium

  * d/apparmor-profile: Add some entries to apparmor-profile file
    to get rid of the extraneous ALLOWED messages visible in the
    /var/log/syslog. (LP: #1999190)

 -- Michal Maloszewski <email address hidden> Wed, 04 Oct 2023 16:58:26 +0200

Changed in sssd (Ubuntu):
status: Confirmed → Fix Released
Michał Małoszewski (michal-maloszewski99)
description: updated
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Hello @Kartik! Thanks for your report!

I am trying to figure out the test plan for it, but I am struggling to do so.
Could you please outline in more detail the steps that you performed to bump into that issue?

Thank you in advance,
Michal

Revision history for this message
Kartik Subbarao (subbarao) wrote :

Hi Michal,

I configured sssd on the system with a local LDAP server. Then I logged into the server using ssh, and I saw those log messages. Here is the kind of sssd.conf I'm using, although I don't think the specific LDAP config likely makes much of a difference for this issue:

=====

[sssd]
config_file_version = 2
domains = dir1

[nss]
filter_users = root
filter_groups = root

[pam]
offline_credentials_expiration = 90

[domain/dir1]
id_provider = ldap
auth_provider = ldap
sudo_provider = none
ldap_schema = rfc2307bis
ldap_uri = ldap://localhost, ldap://ldap.example.com
ldap_id_use_start_tls = true
ldap_search_base = dc=example,dc=com
ldap_user_name = exampleUnixUsername
cache_credentials = true
entry_cache_timeout = 604800
account_cache_expiration = 90

Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Hi!

Thank you for your response. Now it will be much easier for me to prepare the Test Plan :)

Michał Małoszewski (michal-maloszewski99)
description: updated
Robie Basak (racb)
Changed in sssd (Ubuntu Jammy):
assignee: Michał Małoszewski (michal-maloszewski99) → nobody
Revision history for this message
Paride Legovini (paride) wrote :

Marking the Jammy task as Triaged as the fix is well identified:

https://launchpadlibrarian.net/690558441/sssd_2.9.1-2ubuntu1_2.9.1-2ubuntu2.diff.gz

Changed in sssd (Ubuntu Jammy):
status: Confirmed → Triaged
Robie Basak (racb)
tags: added: bitesize
Sergio Durigan Junior (sergiodj)
tags: removed: server-todo
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.