[lxc-users] apparmor kernel log entries
Fiedler Roman
Roman.Fiedler at ait.ac.at
Thu Jan 7 10:17:27 UTC 2016
> Von: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] Im
> Auftrag von Serge Hallyn
>
> Wait - are you saying you want tasks in the container to be able to
> ptrace tasks on the host?
Yes, is possible. Sounds like
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1475050
Exploit code is attached to issue.
> Quoting Mark Chaney (mail at lists.macscr.com):
> > Well I have the check_mk monitoring agent running on every container
> > and on the host. Any chance some details steps could be given to
> > allow ptrace to run on the containers? They are already privileged
> > if that makes any difference.
> >
> > On 2015-12-28 17:58, Serge Hallyn wrote:
> > >Quoting Mark Chaney (mail at lists.macscr.com):
> > >>any suggestions for resolving this warning/error i keep getting on
> > >>my lxc host (ubuntu 14.04 lts). All my guests are privileged. I have
> > >>no idea what container is even sparking the log entry.
> > >>
> > >>Dec 22 11:39:04 backup kernel: [498830.030751] type=1400
> > >>audit(1450805944.611:17688): apparmor="DENIED" operation="ptrace"
> > >>profile="lxc-container-default" pid=7448 comm="lsof"
> > >>requested_mask="read" denied_mask="read" peer="unconfined"
> > >>Dec 22 11:41:22 backup kernel: [498967.665959] type=1400
> > >>audit(1450806082.172:17737): apparmor="DENIED" operation="ptrace"
> > >>profile="lxc-container-default" pid=13992 comm="ps"
> > >>requested_mask="trace" denied_mask="trace" peer="unconfined"
> > >>Dec 22 11:43:29 backup kernel: [499094.819757] type=1400
> > >>audit(1450806209.256:17753): apparmor="DENIED" operation="ptrace"
> > >>profile="lxc-container-default" pid=18458 comm="ps"
> > >>requested_mask="trace" denied_mask="trace" peer="unconfined"
> > >>Dec 22 11:45:22 backup kernel: [499207.838369] type=1400
> > >>audit(1450806322.216:17754): apparmor="DENIED" operation="ptrace"
> > >>profile="lxc-container-default" pid=20840 comm="ps"
> > >>requested_mask="trace" denied_mask="trace" peer="unconfined"
> > >>Dec 22 11:45:22 backup kernel: [499207.839167] type=1400
> > >>audit(1450806322.216:17757): apparmor="DENIED" operation="ptrace"
> > >>profile="lxc-container-default" pid=20840 comm="ps"
> > >>requested_mask="trace" denied_mask="trace" peer="unconfined"
> > >>Dec 22 11:51:22 backup kernel: [499568.111011] type=1400
> > >>audit(1450806682.289:17789): apparmor="DENIED" operation="ptrace"
> > >>profile="lxc-container-default" pid=2115 comm="ps"
> > >>requested_mask="trace" denied_mask="trace" peer="unconfined"
> > >
> > >It looks to me like you have a task in the container doing ps or lsof
> > >while it is able to see a host task. This can happen for instance
> > >while a host task is in the middle of transitioning into a
> > >container (i.e. lxc-attach). The 'ptrace' check is used for several
> > >types of checks (not just the ptrace syscall). I'm not sure why you
> > >have so many of these, but it is correct for the container task to
> > >not be allowed ptrace access to something unconfined.
> > >_______________________________________________
> > >lxc-users mailing list
> > >lxc-users at lists.linuxcontainers.org
> > >http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6344 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160107/d6b0af3e/attachment.bin>
More information about the lxc-users
mailing list