Lab 33.2. Explore the apparmor Security. /bin/ping-x works executed as ubuntu user in EC2 instance

lurodrig

Hello there,

After copying /bin/ping to /bing/ping-x I still can run /bin/ping-x as the ubuntu user:

$ sudo cp /bin/ping /bin/ping-x

$ sudo ls -l /bin/ping-x 
-rwxr-xr-x 1 root root 76672 Apr 12 10:03 /bin/ping-x

$ sudo getcap /bin/ping-x

$ ping-x -c3 -4 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.037 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.023 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.027 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2035ms
rtt min/avg/max/mdev = 0.023/0.029/0.037/0.005 ms

apparmor is loaded:

$ sudo apparmor_status 
apparmor module is loaded.

$ systemctl status apparmor
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: active (exited) since Fri 2024-04-12 09:59:51 UTC; 12min ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
   Main PID: 220 (code=exited, status=0/SUCCESS)
        CPU: 962ms

The ubuntu user looks like this:

$ whoami
ubuntu

$ groups
ubuntu adm dialout cdrom floppy sudo audio dip video plugdev netdev lxd

$ sudo -l -U ubuntu
Matching Defaults entries for ubuntu on ip-172-31-7-104:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User ubuntu may run the following commands on ip-172-31-7-104:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

And my system:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:    22.04
Codename:   jammy

$ uname -a
Linux ip-172-31-7-104 6.5.0-1014-aws #14~22.04.1-Ubuntu SMP Thu Feb 15 15:27:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Probably I must be missing something

Thanks in advance,

Luis

ps: I must to admit that I did not try yet neither in my personal laptop nor in a VM

luisviveropena

Hi @lurodrig,

I tried in a cloud VM as well. I also tried in a local VM, and it worked. The only difference is that I used Ubuntu 23.10. Can you try on that OS and version, please? Just to check if this would be related to a specific OS version.

devopsn3rd@ubuntu23:~$ sudo systemctl status apparmor
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; preset: enabled)
Active: active (exited) since Wed 2024-04-17 14:30:05 UTC; 5min ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Main PID: 263 (code=exited, status=0/SUCCESS)
CPU: 1.241s

Apr 17 14:30:05 ubuntu systemd[1]: Starting apparmor.service - Load AppArmor profiles...
Apr 17 14:30:05 ubuntu apparmor.systemd[263]: Restarting AppArmor
Apr 17 14:30:05 ubuntu apparmor.systemd[263]: Reloading AppArmor profiles
Apr 17 14:30:05 ubuntu systemd[1]: Finished apparmor.service - Load AppArmor profiles.

devopsn3rd@ubuntu23:~$ id
uid=1001(devopsn3rd) gid=1002(devopsn3rd) groups=1002(devopsn3rd),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),115(netdev),116(lxd),1000(ubuntu),1001(google-sudoers)

devopsn3rd@ubuntu23:~$ ping google.com
PING google.com (172.217.219.101) 56(84) bytes of data.
64 bytes from je-in-f101.1e100.net (172.217.219.101): icmp_seq=1 ttl=115 time=1.66 ms
64 bytes from je-in-f101.1e100.net (172.217.219.101): icmp_seq=2 ttl=115 time=1.15 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.145/1.402/1.659/0.257 ms

devopsn3rd@ubuntu23:~$ ping -c 3 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.043 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1010ms
rtt min/avg/max/mdev = 0.025/0.034/0.043/0.009 ms

devopsn3rd@ubuntu23:~$ sudo cp /bin/ping /bin/ping-x
devopsn3rd@ubuntu23:~$ sudo getcap /bin/ping
/bin/ping cap_net_raw=ep

devopsn3rd@ubuntu23:~$ sudo getcap /bin/ping-x
devopsn3rd@ubuntu23:~$
devopsn3rd@ubuntu23:~$ ping-x google.com
ping-x: socktype: SOCK_RAW
ping-x: socket: Operation not permitted
ping-x: => missing cap_net_raw+p capability or setuid?

devopsn3rd@ubuntu23:~$ cat /etc/os-release
PRETTY_NAME="Ubuntu 23.10"
NAME="Ubuntu"
VERSION_ID="23.10"
VERSION="23.10 (Mantic Minotaur)"
VERSION_CODENAME=mantic
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=mantic
LOGO=ubuntu-logo

So, it worked for me and I was unable to reproduce the issue.

Regards,
Luis.

lurodrig

Hello @luisviveropena

Thank you very much for your answer and sorry for the delay in my response.

You are right, in a fresh EC2 instance with ubuntu 24.04 it works.

Thank you very much,

Cheers,

Luis

luisviveropena

Hi @lurodrig,

It's a pleasure! I'm glad it worked

Regards,
Luis.