search

a2o / snoopy

Snoopy Command Logger is a small library that logs all program executions on your Linux/BSD system.
GNU General Public License v2.0
1.22k stars 155 forks source link

object '/lib/x86_64-linux-gnu/libsnoopy.so' from /etc/ld.so.preload cannot be preloaded #237

Closed captainwasabi closed 2 years ago

captainwasabi commented 2 years ago

I am getting this error anytime I use an lxc command. i.e. 

# lxc list

LXD runs in a snap and I get the following in the audit.log

type=AVC msg=audit(1659985925.205:660842): apparmor="DENIED" operation="open" 
profile="/snap/core/13425/usr/lib/snapd/snap-confine" name="/lib/x86_64-linux-gnu/libsnoopy.so.0.0.0" pid=419713 
comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
bostjan commented 2 years ago

On which host OS can I reproduce this? Ubuntu 20.04 or 22.04?

captainwasabi commented 2 years ago

I'm on 20.04. However I think this box may have started with 12.04->16.04->18.04->20.04 if that makes a difference. (nte, it doesn't make a difference. I just tried it on a clean install of 20.04 and I got the messages in the log)

Also, this box was recently STIG'd and snoopy was installed after the STIG remediation.

bostjan commented 2 years ago

I'll look into this, thanks for the clarification.

These distro-specific issues are something that I'll try to solve with #135.

bostjan commented 2 years ago

In short, snapd has a very locked down AppArmor profile, down to listing individual shared libraries that it is allowing to load (/etc/apparmor.d/usr.lib.snapd.snap-confine.real), probably in order to prevent unauthorised random code to run alongside the original code.

On the other hand, Snoopy is exactly what Snap's AppArmor profile is trying to prevent - interposed, "unauthorised" third-party code that runs alongside the original code.

The following (manually) resolves the issue on my side:

# Configure
cat <<EOF > /var/lib/snapd/apparmor/snap-confine/snoopy
#
# Snoopy Command Logger
#
    /lib/x86_64-linux-gnu/libsnoopy.so* mr,

    /dev/pts/ r,
    /proc/*/loginuid r,
    /proc/*/status r,
    /usr/lib/x86_64-linux-gnu/libnss_compat-*.so mr,
    /usr/lib/x86_64-linux-gnu/libnss_nis-*.so mr,
    /usr/lib/x86_64-linux-gnu/libnsl-*.so mr,

    unix (create, connect, send) type=dgram,
    unix (create, connect, send) type=stream,

    /dev/log w,
    /run/systemd/journal/dev-log w,
EOF

# Enable 
apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine.snapd.16292   # This one will probably need adjustment in your environment

PR #245 contains a Snoopy packaging update, and Snoopy 2.5.0rc3 packaged for Ubuntu will have this file included: https://github.com/a2o/snoopy/blob/master/packaging/deb/extra-files/snapd-apparmor-profile

Caveats:

To be completely honest, I don't have much desire to deal with this further. However, I will gladly accept PRs that improve upon my initial work (updated policy, automatic policy reloading on package install/update).