解决ubuntu环境下报apparmor=“DENIED“ operation=“exec“之类的错误
apparmor的权限规则一般默认放在/etc/apparmor.d/目录下,比如tcpdump的规则存放在该目录下的usr.sbin.tcpdump下,其内容有固定的格式,它相当于白名单,规定了该应用对于目录的访问权限。应用要想访问某个目录,则必须在这个文件里加上权限,否则就会报错,比如使用下面的命令:# 重启某个服务,这里以docker为例systemctl restart snap.dock
apparmor的权限规则一般默认放在/etc/apparmor.d/目录下,比如tcpdump的规则存放在该目录下的usr.sbin.tcpdump下,其内容有固定的格式,它相当于白名单,规定了该应用对于目录的访问权限。应用要想访问某个目录,则必须在这个文件里加上权限,否则就会报错,比如使用下面的命令:
# 重启某个服务,这里以docker为例
systemctl restart snap.docker.dockerd
# 查看日志
journalctl -xe
如果权限不足,会查到报错信息如下:
Mar 04 14:43:17 ubuntu audit[5657]: AVC apparmor="DENIED" operation="ptrace" profile="snap.docker.dockerd" pid=5657 comm="ps" requested_mask="trace" denied_mask="trace" peer="/sbin/dhclient"
这个时候你就需要修改snap.docker.dockerd,但这里要注意这个文件不是放在/etc/apparmor.d/目录里的,因为对于snap安装的应用,它们的配置会放到/var/lib/snapd/apparmor/profiles/目录里,它的格式是下面这样的(以tcpdump为例):
# vim:syntax=apparmor
# Last Modified: Wed Feb 3 07:58:30 2009
# Author: Jamie Strandboge <jamie@canonical.com>
#include <tunables/global>
/usr/sbin/tcpdump {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability net_raw,
capability setuid,
capability setgid,
capability dac_override,
network raw,
network packet,
# for -D
capability sys_module,
@{PROC}/bus/usb/ r,
@{PROC}/bus/usb/** r,
# for finding an interface
@{PROC}/[0-9]*/net/dev r,
/sys/bus/usb/devices/ r,
/sys/class/net/ r,
/sys/devices/**/net/* r,
# for -j
capability net_admin,
# for tracing USB bus, which libpcap supports
/dev/usbmon* r,
/dev/bus/usb/ r,
/dev/bus/usb/** r,
# for init_etherarray(), with -e
/etc/ethers r,
# for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
/dev/bus/usb/**/[0-9]* w,
# for -z
/{usr/,}bin/gzip ixr,
/{usr/,}bin/bzip2 ixr,
# for -F and -w
audit deny @{HOME}/.* mrwkl,
audit deny @{HOME}/.*/ rw,
audit deny @{HOME}/.*/** mrwkl,
audit deny @{HOME}/bin/ rw,
audit deny @{HOME}/bin/** mrwkl,
owner @{HOME}/ r,
owner @{HOME}/** rw,
# for -r, -F and -w
/**.[pP][cC][aA][pP] rw,
# for convenience with -r (ie, read pcap files from other sources)
/var/log/snort/*log* r,
/usr/sbin/tcpdump mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.tcpdump>
}
如果你嫌配置这个文件麻烦,有一个较为简单省事的方法可以替代。apparmor分成两种模式,一种模式是enforce mode,一种模式是complain mode。前者会严格按照配置规则来控制应用的访问权限,后者不会禁止应用访问文件,但会记录下来。使用命令:
apparmor_status
可以看到每个应用处在什么模式下,比如我的电脑配置如下:
root@ubuntu:~# apparmor_status
apparmor module is loaded.
28 profiles are loaded.
28 profiles are in enforce mode.
/sbin/dhclient
/snap/core/10823/usr/lib/snapd/snap-confine
/snap/core/10823/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/snap/core/10859/usr/lib/snapd/snap-confine
/snap/core/10859/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/lxc-start
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/lxd/lxd-bridge-proxy
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/tcpdump
docker-default
lxc-container-default
lxc-container-default-cgns
lxc-container-default-with-mounting
lxc-container-default-with-nesting
snap-update-ns.core
snap-update-ns.docker
snap.core.hook.configure
snap.docker.compose
snap.docker.docker
snap.docker.dockerd
snap.docker.help
snap.docker.hook.install
snap.docker.hook.post-refresh
snap.docker.machine
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode.
/sbin/dhclient (1069)
snap.docker.dockerd (5543)
snap.docker.dockerd (5618)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
可以看到snap.docker.dockerd是enforce mode。只需要把它改为complain mode,则就会省去一个个配置的麻烦。使用aa-complain命令可以进行修改,在使用这个命令之前,你需要安装一个工具,如下:
apt install apparmor-utils
安装好之后,使用下面的命令进行变更:
sudo aa-complain /var/lib/snapd/apparmor/profiles/snap.docker.dockerd
但这里会报错:
Profile for /var/lib/snapd/apparmor/profiles/snap.docker.dockerd not found, skipping
这里感觉像是一个bug。我刚才说了,snap安装的应用配置文件都是放到/var/lib/snapd/apparmor/profiles/目录下,而普通的应用的配置会放到/etc/apparmor.d/目录下,放到/etc/apparmor.d/目录下的会被识别,但是其他的目录的不会被识别,比如同样的一个配置,如果放到/etc/apparmor.d/目录下,则不会报上面的错,把snap.docker.dockerd拷贝到/etc/apparmor.d/目录,然后执行:
sudo aa-complain /etc/apparmor.d/snap.docker.dockerd
结果如下:
执行结束之后,把两个文件打开,比对一下区别。
原来的:
新的:
可以看到新增了一个complain。然后再把/etc/apparmor.d/目录下被修改过的配置文件拷贝到/var/lib/snapd/apparmor/profiles/替换掉原来的,那么这个配置文件就修改成功了。这里我把/var/lib/snapd/apparmor/profiles/目录下的所有配置全部都给修改掉了。使用:
sudo aa-complain /etc/apparmor.d/snap*
可以批量修改所有snap开头的配置。修改之后重启电脑,再使用apparmor_status命令查看,结果如下:
root@ubuntu:~# apparmor_status
apparmor module is loaded.
26 profiles are loaded.
14 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/lxc-start
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/lxd/lxd-bridge-proxy
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/tcpdump
docker-default
lxc-container-default
lxc-container-default-cgns
lxc-container-default-with-mounting
lxc-container-default-with-nesting
12 profiles are in complain mode.
/snap/core/10859/usr/lib/snapd/snap-confine
/snap/core/10859/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
snap-update-ns.core
snap-update-ns.docker
snap.core.hook.configure
snap.docker.compose
snap.docker.docker
snap.docker.dockerd
snap.docker.help
snap.docker.hook.install
snap.docker.hook.post-refresh
snap.docker.machine
3 processes have profiles defined.
1 processes are in enforce mode.
/sbin/dhclient (1133)
2 processes are in complain mode.
snap.docker.dockerd (1218)
snap.docker.dockerd (1370)
0 processes are unconfined but have a profile defined.
可以看到已经被改掉了,这个时候,再通过snap去启动docker,就没有apparmor相关的报错了。
更多推荐
所有评论(0)