apparmor: multiple DENIED entries in audit log after merging #5274

[glitsj16]

Firejail from git master currently shows multiple entrees in /var/log/audit/audit.log on my arch linux box. I've bisected and this regression stems from commit, which added #5274:

type=AVC msg=audit(1660549572.602:83): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=6723 comm="ps" requested_mask="read" denied_mask="read" peer="firejail-default//&unconfined"
type=AVC msg=audit(1660549572.602:83): apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=6723 comm="ps" requested_mask="readby" denied_mask="readby" peer="firejail-default//&unconfined"

@ChrysoliteAzalea If there's anything I can post to help debugging this issue, feel free to ping me.

OS: Arch Linux
apparmor: 3.0.7-1
firejail-git: 0.9.71.r8626.5ab4aeb35-1

[ChrysoliteAzalea]

Sorry, I didn't test the use case with ptrace and signals. The issue is that, while security labels firejail-default and firejail-default//&unconfined are equal in terms of AppArmor permissions, the original profile allowed only ptrace-reading and sending signals only to peers with the former label. This issue happened because the PR replaced the aa_change_onexec to aa_stack_onexec (which guarantees that the process won't have any additional permissions after AppArmor domain transition that it didn't have before, and works with "No New Privileges" enabled).

[glitsj16]

@ChrysoliteAzalea Thanks for the fix. I've tested it locally and can confirm it fixes the issue. I'll wait a bit with merging #5317 to give other collaborators time to review, although I don't expect any problems.

[NetSysFire]

Getting the same on 0.9.72 on Arch Linux after updating, but strangely only with signal-desktop and I figured this issue might be related.

audit[3018085]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=3018085 comm="signal-desktop" requested_mask="readby" denied_mask="readby" peer="firejail-default//&unconfined"
audit[3018085]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=3018085 comm="ThreadPoolSingl" requested_mask="read" denied_mask="read" peer="firejail-default//&unconfined"

I did not notice anything not working, but this causes a good amount of log spam.

[glitsj16]

@NetSysFire At the moment I can't explain why you're getting this in 0.9.72. It's supposed to be fixed. If I understand it correctly, readby should be allowed according to

firejail/etc/apparmor/firejail-default

Lines 34 to 36 in 82c244f

	# Allow obtaining some process information, but not ptrace(2)
	ptrace (read,readby) peer=@{profile_name},
	ptrace (read,readby) peer=@{profile_name}//&unconfined,

Let's reopen this and ask @ChrysoliteAzalea's opinion. FWIW, for me this was fixed by #5317 and I haven't noticed anything like it since. For the time being you could add a rule to your /etc/audit/rules.d/20-dont-audit.rules to temporarily keep signal-desktop from spamming the log. That can grow quickly out of control, besides it being irritating...

Something like the below should do it:

-a always,exclude -F exe=/usr/bin/signal-desktop

[NetSysFire]

I sandbox plenty of other stuff and so far only signal-desktop is triggering this. I can not say whether this is a firejail or signal-desktop issue but if you tell me how, I will debug.