Sample Header Ad - 728x90

Weird apparmor unix socket denial for sudo

0 votes
0 answers
114 views
debian sudo proxmox unix-sockets apparmor
I have a custom SSH server written in go that wraps commands called by the client in apparmor. One of the profiles confines sudo and what commands it can call. It started failing on a proxmox backup server and not any other Debian server. I have tried several combinations of allowed permissions for unix sockets, but always get the same denied behavior, even with extremely open permissions. 
Dec 29 13:41:23 pbs audit: AVC apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 profile="clientSudo" pid=40367 comm="sudo" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
Dec 29 13:41:23 pbs audit: AVC apparmor="DENIED" operation="create" class="net" info="failed type and protocol match" error=-13 profile="clientSudo" pid=40376 comm="sudo" family="unix" sock_type="stream" protocol=0 requested="create" denied="create" addr=none
I have attempted the following combinations: 
network unix stream,
  network unix dgram,
network unix stream,
  network unix dgram,
  unix (create) type=stream,
  unix (create) type=dgram,
unix (create) type=stream,
  unix (create) type=dgram,
unix,
network unix,
Here is the entire profile, called by /usr/bin/sudo rmpx -> clientSudo, 
profile clientSudo flags=(enforce) {
  # Read self
  /usr/bin/sudo rm,
  / r,

  # Capabilities
  capability sys_resource,
  capability setuid,
  capability setgid,
  capability audit_write,
  capability chown,
  network netlink raw,
  network unix,
  network unix stream,
  network unix dgram,
  network inet dgram,
  network inet6 dgram,
  unix (create) type=stream,
  unix (create) type=dgram,

  # Allow file manipulation
  /usr/bin/ls rmpx -> fileops,
  /usr/bin/rm rmpx -> fileops,
  /usr/bin/mv rmpx -> fileops,
  /usr/bin/cp rmpx -> fileops,
  /usr/bin/ln rmpx -> fileops,
  /usr/bin/rmdir rmpx -> fileops,
  /usr/bin/mkdir rmpx -> fileops,
  /usr/bin/chown rmpx -> fileops,
  /usr/bin/chmod rmpx -> fileops,
  /usr/bin/sha256sum rmpx -> fileops,

  # /proc accesses
  /proc/stat r,
  /proc/filesystems r,
  /proc/sys/kernel/cap_last_cap r,
  /proc/sys/kernel/ngroups_max rw,
  /proc/sys/kernel/seccomp/actions_avail r,
  /proc/1/limits r,
  /proc/@{pid}/stat r,
  owner /proc/@{pid}/mounts r,
  owner /proc/@{pid}/status r,

  # /run accesses
  /run/ r,
  /run/sudo/ r,
  /run/sudo/ts/{,*} rwk,

  # /usr accesses
  /usr/share/zoneinfo/** r,
  /usr/lib/locale/locale-archive r,
  /usr/sbin/unix_chkpwd rmix,
  # Not necessary, additional attack surface
  deny /usr/sbin/sendmail rmx,

  # /etc accesses
  /etc/login.defs r,
  /etc/ld.so.cache r,
  /etc/locale.alias r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/shadow r,
  /etc/sudo.conf r,
  /etc/sudoers r,
  /etc/sudoers.d/{,*} r,
  /etc/pam.d/other r,
  /etc/pam.d/sudo r,
  /etc/pam.d/common-auth r,
  /etc/pam.d/common-account r,
  /etc/pam.d/common-session-noninteractive r,
  /etc/pam.d/common-session r,
  /etc/pam.d/common-password r,
  /etc/security/limits.conf r,
  /etc/security/limits.d/ r,
  /etc/group r,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/resolv.conf r,
  /etc/gai.conf r,

  # /dev accesses
  /dev/tty rw,
  /dev/null rw,

  ## Libraries needed for sudo - lib versions are wildcarded
  /usr/lib/*-linux-gnu*/ld-linux-x86-64.so.* r,
  /usr/lib/*-linux-gnu*/libaudit.so.* rm,
  /usr/lib/*-linux-gnu*/libselinux.so* rm,
  /usr/lib/*-linux-gnu*/libc.so* rm,
  /usr/lib/*-linux-gnu*/libcap-ng.so.* rm,
  /usr/lib/*-linux-gnu*/libpcre*.so.* rm,
  /usr/lib/*-linux-gnu*/libpam.so.* rm,
  /usr/lib/*-linux-gnu*/libz.so.* rm,
  /usr/lib/*-linux-gnu*/libm.so.* rm,
  /usr/libexec/sudo/libsudo_util.so.* rm,
  /usr/libexec/sudo/sudoers.so rm,
  /usr/lib/*-linux-gnu*/libnss_systemd.so.* rm,
  /usr/lib/*-linux-gnu*/libcap.so.* rm,
  /usr/lib/*-linux-gnu*/security/pam_limits.so rm,
  /usr/lib/*-linux-gnu*/security/pam_unix.so rm,
  /usr/lib/*-linux-gnu*/security/pam_deny.so rm,
  /usr/lib/*-linux-gnu*/security/pam_permit.so rm,
  /usr/lib/*-linux-gnu*/security/pam_systemd.so rm,
  /usr/lib/*-linux-gnu*/libcrypt.so.* rm,
  /usr/lib/*-linux-gnu*/libpam_misc.so.* rm,
  /usr/lib/*-linux-gnu*/gconv/gconv-modules.cache r,
  /usr/lib/*-linux-gnu*/gconv/gconv-modules r,
  /usr/lib/*-linux-gnu*/gconv/gconv-modules.d/ r,
}
I would guess that the error failed type and protocol match is specifically referring to the protocol 0. But, protocol 0 is not something apparmor recognizes in the profile syntax. Is there a way to debug what permission exactly for unix sockets sudo is attempting? Apparmor complain mode shows the identical lines to the denied ones above. Or, is this a limitation of apparmor and sudo is trying to do something with unix sockets that is not supported? It is strange this happens with proxmox but not debian, which kind of makes me think it might be the kernel version proxmox is using? Can anyone shed some light on this?
Asked by bdrun33 (1 rep)
Dec 29, 2024, 09:56 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "debian"
More questions tagged "sudo"
More questions tagged "proxmox"
Footer Ad - 728x90