Open glitsj16 opened 2 years ago
Sorry, I didn't test the use case with ptrace and signals. The issue is that, while security labels firejail-default and firejail-default//&unconfined are equal in terms of AppArmor permissions, the original profile allowed only ptrace-reading and sending signals only to peers with the former label. This issue happened because the PR replaced the aa_change_onexec to aa_stack_onexec (which guarantees that the process won't have any additional permissions after AppArmor domain transition that it didn't have before, and works with "No New Privileges" enabled).
@ChrysoliteAzalea Thanks for the fix. I've tested it locally and can confirm it fixes the issue. I'll wait a bit with merging #5317 to give other collaborators time to review, although I don't expect any problems.
Getting the same on 0.9.72 on Arch Linux after updating, but strangely only with signal-desktop and I figured this issue might be related.
audit[3018085]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=3018085 comm="signal-desktop" requested_mask="readby" denied_mask="readby" peer="firejail-default//&unconfined"
audit[3018085]: AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=3018085 comm="ThreadPoolSingl" requested_mask="read" denied_mask="read" peer="firejail-default//&unconfined"
I did not notice anything not working, but this causes a good amount of log spam.
@NetSysFire At the moment I can't explain why you're getting this in 0.9.72. It's supposed to be fixed. If I understand it correctly, readby
should be allowed according to
Let's reopen this and ask @ChrysoliteAzalea's opinion. FWIW, for me this was fixed by #5317 and I haven't noticed anything like it since. For the time being you could add a rule to your /etc/audit/rules.d/20-dont-audit.rules to temporarily keep signal-desktop from spamming the log. That can grow quickly out of control, besides it being irritating...
Something like the below should do it:
-a always,exclude -F exe=/usr/bin/signal-desktop
I sandbox plenty of other stuff and so far only signal-desktop is triggering this. I can not say whether this is a firejail or signal-desktop issue but if you tell me how, I will debug.
Firejail from git master currently shows multiple entrees in /var/log/audit/audit.log on my arch linux box. I've bisected and this regression stems from commit, which added #5274:
@ChrysoliteAzalea If there's anything I can post to help debugging this issue, feel free to ping me.
OS: Arch Linux apparmor: 3.0.7-1 firejail-git: 0.9.71.r8626.5ab4aeb35-1