search

osquery / osquery

SQL powered operating system instrumentation, monitoring, and analytics.
https://osquery.io
Other
21.5k stars 2.43k forks source link

AppArmor permissions Ubuntu 24.04 #8344

Open agiacomolli opened 1 month ago

agiacomolli commented 1 month ago

Bug report

What operating system and version are you using?

$ osqueryi --line "SELECT version, build, platform FROM os_version;"
 version = 24.04 LTS (Noble Numbat)
   build = 
platform = ubuntu

What version of osquery are you using?

$ osqueryi --line "SELECT version from osquery_info;"
version = 5.12.1

What steps did you take to reproduce the issue?

On a fresh Ubuntu 24.04 machine:

$ wget -c https://pkg.osquery.io/deb/osquery_5.12.1-1.linux_amd64.deb
$ sudo dpkg -i osquery_5.12.1-1.linux_amd64.deb
Selecting previously unselected package osquery.
(Reading database ... 83319 files and directories currently installed.)
Preparing to unpack osquery_5.12.1-1.linux_amd64.deb ...
Unpacking osquery (5.12.1-1.linux) ...
Setting up osquery (5.12.1-1.linux) ...
933

What did you expect to see?

$ osqueryi --line "SELECT * from apparmor_profiles;"
  path = lsb_release
  name = lsb_release
attach = lsb_release
  mode = enforce
  sha1 = e867c2dd315563e8f3a746924cb867179d1da827

  path = nvidia_modprobe
  name = nvidia_modprobe
attach = nvidia_modprobe
  mode = enforce
  sha1 = dd7540684c23e01b9e8e579a69962423fd8f2f75

  path = nvidia_modprobe//kmod
  name = kmod
attach = kmod
  mode = enforce
  sha1 = 985eeba728561f02af54af9944f986c4f795703b

  path = /usr/lib/NetworkManager/nm-dhcp-client.action
  name = /usr/lib/NetworkManager/nm-dhcp-client.action
attach = /usr/lib/NetworkManager/nm-dhcp-client.action
  mode = enforce
  sha1 = 3086c4c098ba9d684dab21a500cb9515df86d9b6
...

What did you see instead?

$ osqueryi --line "SELECT * from apparmor_profiles;"
E0605 17:57:57.151594  1585 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/Discord.0. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/Discord.0/sha1          
E0605 17:57:57.151718  1585 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/1password.1. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/1password.1/sha1
E0605 17:57:57.151813  1585 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/QtWebEngineProcess.2. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/QtWebEngineProcess.2/sha1
E0605 17:57:57.151913  1585 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/MongoDB_Compass.3. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/MongoDB_Compass.3/sha1
E0605 17:57:57.151995  1585 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/brave.4. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/brave.4/sha1 
E0605 17:57:57.152081  1585 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/buildah.5. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/buildah.5/sha1            
E0605 17:57:57.152175  1585 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/busybox.6. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/busybox.6/sha1 
...
directionless commented 1 month ago

To access a lot of the underlying information, osquery needs to be running as root. From your prompt there, it looks like you're running as a user. Does sudo osqueryi behave how you expect?

agiacomolli commented 1 month ago

Same output running with sudo. I suppose something changed at the OS level.

Ubuntu 22.04

$ osqueryi --line "SELECT version, build, platform FROM os_version;"
 version = 22.04.3 LTS (Jammy Jellyfish)
   build = 
platform = ubuntu
$ osqueryi --line "SELECT version from osquery_info;"
version = 5.12.1
$ osqueryi --line "SELECT * from apparmor_profiles;"
  path = lsb_release
  name = lsb_release
attach = lsb_release
  mode = enforce
  sha1 = 65958f0846d3797bb7e57356f1e45f450b946a54

  path = nvidia_modprobe
  name = nvidia_modprobe
attach = nvidia_modprobe
  mode = enforce
  sha1 = a3fa9a81a28cf686ed117b49c738fac6f35eb770
...
$ sudo osqueryi --line "SELECT * from apparmor_profiles;"
  path = lsb_release
  name = lsb_release
attach = lsb_release
  mode = enforce
  sha1 = 65958f0846d3797bb7e57356f1e45f450b946a54

  path = nvidia_modprobe
  name = nvidia_modprobe
attach = nvidia_modprobe
  mode = enforce
  sha1 = a3fa9a81a28cf686ed117b49c738fac6f35eb770
...

Ubuntu 23.10

$ osqueryi --line "SELECT version, build, platform FROM os_version;"
 version = 23.10 (Mantic Minotaur)
   build = 
platform = ubuntu
$ osqueryi --line "SELECT version from osquery_info;"
version = 5.12.1
$ osqueryi --line "SELECT * from apparmor_profiles;"
  path = /bin/toybox
  name = /bin/toybox
attach = /bin/toybox
  mode = unconfined
  sha1 = c03078438163898bf290b67610fde12ec7f6b085

  path = lsb_release
  name = lsb_release
attach = lsb_release
  mode = enforce
  sha1 = af1971c179f89aa1908301aefa90df1f5beb7ea3
...
$ sudo osqueryi --line "SELECT * from apparmor_profiles;"
  path = /bin/toybox
  name = /bin/toybox
attach = /bin/toybox
  mode = unconfined
  sha1 = c03078438163898bf290b67610fde12ec7f6b085

  path = lsb_release
  name = lsb_release
attach = lsb_release
  mode = enforce
  sha1 = af1971c179f89aa1908301aefa90df1f5beb7ea3
...

Ubuntu 24.04

$ osqueryi --line "SELECT version, build, platform FROM os_version;"
 version = 24.04 LTS (Noble Numbat)
   build = 
platform = ubuntu
$ osqueryi --line "SELECT version from osquery_info;"
version = 5.12.1
$ osqueryi --line "SELECT * from apparmor_profiles;"                                                                                                                                                                  
E0606 12:08:26.323729  1194 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/Discord.0. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/Discord.0/sha1            
E0606 12:08:26.324070  1194 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/1password.1. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/1password.1/sha1
E0606 12:08:26.324321  1194 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/MongoDB_Compass.2. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/MongoDB_Compass.2/sha1
E0606 12:08:26.324625  1194 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/QtWebEngineProcess.3. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/QtWebEngineProcess.3/sha1
E0606 12:08:26.325006  1194 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/brave.4. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/brave.4/sha1 
E0606 12:08:26.325338  1194 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/buildah.5. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/buildah.5/sha1
E0606 12:08:26.325505  1194 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/busybox.6. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/busybox.6/sha1
...
$ sudo osqueryi --line "SELECT * from apparmor_profiles;"
E0606 12:09:49.359258  1202 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/Discord.0. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/Discord.0/sha1            
E0606 12:09:49.359577  1202 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/1password.1. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/1password.1/sha1
E0606 12:09:49.359627  1202 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/MongoDB_Compass.2. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/MongoDB_Compass.2/sha1
E0606 12:09:49.359665  1202 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/QtWebEngineProcess.3. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/QtWebEngineProcess.3/sha1
E0606 12:09:49.359702  1202 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/brave.4. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/brave.4/sha1 
E0606 12:09:49.359738  1202 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/buildah.5. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/buildah.5/sha1
E0606 12:09:49.359773  1202 apparmor_profiles.cpp:121] Failed to open the following AppArmor profile: /sys/kernel/security/apparmor/policy/profiles/busybox.6. Cannot open file for reading: /sys/kernel/security/apparmor/policy/profiles/busybox.6/sha1
...
agiacomolli commented 1 month ago

https://github.com/osquery/osquery/pull/8345

AppArmor changed the hash used to check policy from sha1 to sha256: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=237c31cb5d83b3f77715f6d6a185f46a5ee4ec88