Unprivileged access using IOCTL tcgets

snapcraft
1

Hi,

I’m trying to create a samba service using snapcraft and have ended up with problems with samba trying to use a IOCTL for the xterm according to the strace.

My snapcraft.yaml:

name: my-samba
version: “0.0”
summary: Add support for Samba
description: Samba support (Windows share)
grade: devel
confinement: devmode

apps:
samba:
command: etc/init.d/samba start
daemon: simple
restart-condition: always
plugs: [network, network-bind, removable-media]

parts:
samba:
plugin: nil
stage-packages: [ samba, lsb-base, ncurses-base ]
stage:
- -etc/init.d/* # exclude the content under init.d that we will override
- -usr/share/samba/smb.conf # Exclude the default samba config

config:
plugin: dump
source: .
organize:
overrides/etc: etc
overrides/usr: usr
prime:
- etc
- usr

When running the snap using --strace option I see the following:

$ snap run --strace my-samba.samba


[pid 12512] access("/lib/terminfo/x/xterm-256color", R_OK) = 0
[pid 12512] open("/lib/terminfo/x/xterm-256color", O_RDONLY) = 3
[pid 12512] fstat(3, {st_mode=S_IFREG|0644, st_size=3417, …}) = 0
[pid 12512] read(3, “\32\1%\0&\0\17\0\235\1\262\5xterm-256color|xterm”…, 4096) = 3417
[pid 12512] read(3, “”, 1024) = 0
[pid 12512] close(3) = 0
[pid 12512] ioctl(1, TCGETS, {B38400 opost isig icanon echo …}) = 0
[pid 12512] ioctl(1, TCGETS, {B38400 opost isig icanon echo …}) = 0
[pid 12512] ioctl(1, TIOCGWINSZ, {ws_row=39, ws_col=88, ws_xpixel=0, ws_ypixel=0}) = 0
[pid 12512] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), …}) = 0
[pid 12512] write(1, “\33[39;49m”, 8) = 8
[pid 12512] exit_group(0) = ?

Is there any interfaces or plugs that I can use to support this behaviour?

Regards

Daniel Lundborg

2

I’m a bit surprised that samba is using that, but TCGETS is allowed by the default template so the issue is probably unrelated to this (not to mention, the ioctl returned ‘0’, which usually indicates success for this syscall).

Are there any security denials at the time of the access? Try: sudo journalctl|grep audit |grep -v profile_replace|grep samba

3

Thanks for pointing me in the right direction.

I have started to add plugs and slots:

version: "0.0"
summary: Add support for Samba
description: Samba support (Windows share)
grade: devel
confinement: devmode

plugs:
** dbus-systemd-smbd:**
** interface: dbus**
** bus: system**
** name: org.freedesktop.systemd1**

slots:
** dbus-systemd-smbd:**
** interface: dbus**
** bus: system**
** name: org.freedesktop.systemd1**

apps:
** samba:**
** command: etc/init.d/samba start**
** daemon: simple**
** restart-condition: always**
** plugs:**
** [mount-observe, network, network-bind, removable-media, system-observe]**

parts:
** samba:**
** plugin: nil**
** stage-packages: [ samba, lsb-base, ncurses-base, systemd, coreutils, dpkg ]**
** stage:**
** - -etc/init.d/* # exclude the content under init.d that we will override**
** - -usr/share/samba/smb.conf # Exclude the default samba config**

** config:**
** plugin: dump**
** source: .**
** organize:**
** overrides/etc: etc**
** overrides/usr: usr**
** prime:**
** - etc**
** - usr**

and have narrowed down the list from journalctl:

Nov 21 13:48:47 vagrant kernel: audit: type=1400 audit(1542808127.884:17119): apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/proc/12808/mounts" pid=12808 comm=“python2.7” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Nov 21 13:48:48 vagrant audit[12818]: AVC apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/run/samba/" pid=12818 comm=“install” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Nov 21 13:48:48 vagrant kernel: audit: type=1400 audit(1542808128.060:17120): apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/run/samba/" pid=12818 comm=“install” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Nov 21 13:48:48 vagrant audit[12819]: AVC apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/run/samba/smbd.pid" pid=12819 comm=“start-stop-daem” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Nov 21 13:48:48 vagrant kernel: audit: type=1400 audit(1542808128.060:17121): apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/run/samba/smbd.pid" pid=12819 comm=“start-stop-daem” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Nov 21 13:48:48 vagrant audit[12819]: AVC apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/proc/sys/kernel/core_pattern" pid=12819 comm=“smbd” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Nov 21 13:48:48 vagrant kernel: audit: type=1400 audit(1542808128.084:17122): apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/proc/sys/kernel/core_pattern" pid=12819 comm=“smbd” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Nov 21 13:49:34 vagrant audit[840]: USER_AVC pid=840 uid=107 auid=4294967295 ses=4294967295 msg='apparmor=“ALLOWED” operation=“dbus_method_call” bus=“system” path="/org/freedesktop/systemd1/unit/smbd_2eservice" interface=“org.freedesktop.DBus.Properties” member=“GetAll” mask=“send” name=“org.freedesktop.systemd1” pid=12841 label=“snap.my-samba.samba” peer_pid=1 peer_label="unconfined"
Nov 21 13:49:34 vagrant kernel: audit: type=1107 audit(1542808174.056:17123): pid=840 uid=107 auid=4294967295 ses=4294967295 msg='apparmor=“ALLOWED” operation=“dbus_method_call” bus=“system” path="/org/freedesktop/systemd1/unit/smbd_2eservice" interface=“org.freedesktop.DBus.Properties” member=“GetAll” mask=“send” name=“org.freedesktop.systemd1” pid=12841 label=“snap.my-samba.samba” peer_pid=1 peer_label="unconfined"
Nov 21 13:49:34 vagrant audit[12844]: AVC apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/proc/12844/mounts" pid=12844 comm=“python2.7” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Nov 21 13:49:34 vagrant kernel: audit: type=1400 audit(1542808174.156:17124): apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/proc/12844/mounts" pid=12844 comm=“python2.7” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
Nov 21 13:49:34 vagrant audit[12854]: AVC apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/run/samba/" pid=12854 comm=“install” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Nov 21 13:49:34 vagrant audit[12855]: AVC apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/run/samba/smbd.pid" pid=12855 comm=“start-stop-daem” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Nov 21 13:49:34 vagrant kernel: audit: type=1400 audit(1542808174.332:17125): apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/run/samba/" pid=12854 comm=“install” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Nov 21 13:49:34 vagrant kernel: audit: type=1400 audit(1542808174.332:17126): apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/run/samba/smbd.pid" pid=12855 comm=“start-stop-daem” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Nov 21 13:49:34 vagrant audit[12855]: AVC apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/proc/sys/kernel/core_pattern" pid=12855 comm=“smbd” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Nov 21 13:49:34 vagrant kernel: audit: type=1400 audit(1542808174.356:17127): apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/proc/sys/kernel/core_pattern" pid=12855 comm=“smbd” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

And snappy-debug:
kernel.printk_ratelimit = 0
kernel.printk_ratelimit = 5
= AppArmor =
Time: Nov 21 13:36:29
Log: apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/run/samba/" pid=12590 comm=“install” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /run/samba/ (read)
Suggestions:
*** adjust program to use $SNAP_DATA**
*** adjust program to use /run/shm/snap.$SNAP_NAME.***

= AppArmor =
Time: Nov 21 13:36:29
Log: apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/run/samba/smbd.pid" pid=12591 comm=“start-stop-daem” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /run/samba/smbd.pid (read)
Suggestions:
*** adjust program to use $SNAP_DATA**
*** adjust program to use /run/shm/snap.$SNAP_NAME.***

= AppArmor =
Time: Nov 21 13:36:29
Log: apparmor=“ALLOWED” operation=“open” profile=“snap.my-samba.samba” name="/proc/sys/kernel/core_pattern" pid=12591 comm=“smbd” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /proc/sys/kernel/core_pattern (read)
Suggestion:
*** adjust program to not access ‘@{PROC}/sys/kernel/core_pattern’**

I still have the same error using strace though. Any pointers you can give me?

Regards,

Daniel

4

For the /run/samba denials, you have a few choices:

  • modify the program or its configuration to write out to $SNAP_COMMON or $SNAP_DATA
  • use snap layouts: Snap layouts (widely available with snapd 2.36)
  • update the snap to write to /run/snap.my-samba/*

For core_pattern, this isn’t allowed anywhere yet. I suspect that will go away if you fix the other errors.

1 Like