AppArmor

complain mode blocks access to nsfs (/proc/self/ns/*) without exec rule

Bug #1624497 reported by Jamie Strandboge
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
AppArmor
Confirmed
Undecided
Unassigned

Bug Description

On snappy we discovered that the 'ip netns list' command would fail even in devmode (complain mode for apparmor). Steps to reproduce on up to date Ubuntu classic desktop 16.04 system:

1. sudo snap install --devmode hello-world
2. Run ip netns list:
$ sudo /snap/bin/hello-world.sh
bash-4.3# ip netns list
open("/proc/self/ns/net"): Permission denied

/var/log/syslog only shows ALLOWED entries. Adding the following rule to /var/lib/snapd/apparmor/profiles/snap.hello-world.sh allows it to work:

  /bin/ip ix,

$ sudo /snap/bin/hello-world.sh
bash-4.3# ip netns list && echo "It worked!"
It worked!
bash-4.3#

Here is a reduced test case that demonstrates the problem:

1. save the following to ./open-proc-self-ns-net.c:

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sched.h>
#include <sys/mount.h>

int main (int argc, char *argv[])
{
 int fd;

 if (unshare(CLONE_NEWNS) < 0) {
  perror("failed");
  exit(1);
 }
 if (mount("none", "/", NULL, MS_REC | MS_SLAVE, NULL) != 0) {
  perror("failed");
  exit(1);
 }

 printf("Opening /proc/self/ns/net\n");
 fflush(stdout);

 fd = open("/proc/self/ns/net", O_RDONLY);
 if (fd == -1) {
    perror("failed");
    exit(1);
  }
  printf("success\n");
  return 0;
}

2. Save the following to ./profile:
#include <tunables/global>

profile test (attach_disconnected,complain) {
  #include <abstractions/base>

  # In complain mode, without this rule:
  #
  #/**/open-proc-self-ns-net ix,
  #
  # then the program is unable to open /proc/self/ns/net:
  # $ sudo aa-exec -p test -- sh -c './open-proc-self-ns-net'
  # Opening /proc/self/ns/net
  # failed: Permission denied
  #
  # But with the rule:
  # $ sudo aa-exec -p test -- sh -c './open-proc-self-ns-net'
  # Opening /proc/self/ns/net
  # success
}

3. Run the following:
$ gcc -o open-proc-self-ns-net open-proc-self-ns-net.c && sudo apparmor_parser -r ./profile && sudo aa-exec -p test -- sh -c './open-proc-self-ns-net'
Opening /proc/self/ns/net
failed: Permission denied

If you uncomment '/**/open-proc-self-ns-net ix,':
$ gcc -o open-proc-self-ns-net open-proc-self-ns-net.c && sudo apparmor_parser -r ./profile && sudo aa-exec -p test -- sh -c './open-proc-self-ns-net'
Opening /proc/self/ns/net
success

This has an impact on snappy in that people must connect interfaces in devmode when they wouldn't necessarily have to otherwise. For 'ip netns' users on snappy, this means:

1. be sure to specify 'plugs: [network-control]' in snapcraft.yaml
2. Install in devmode like normal. Eg: sudo snap install --devmode /path/to/your/snap
3. Connect the network-control interface. Eg: sudo snap connect SNAP_NAME:network-control ubuntu-core:network-control

See original description
Jamie Strandboge (jdstrand)
description: updated
description: updated
Changed in apparmor:
status: New → Confirmed
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for the reduced test case. I've verified the bug, using the reduced test case, in Xenial:

$ cat /proc/version_signature
Ubuntu 4.4.0-36.55-generic 4.4.16
$ dpkg -l | grep apparmor
ii apparmor 2.10.95-0ubuntu2.2 amd64 user-space parser utility for AppArmor
...

Jamie Strandboge (jdstrand)
description: updated
Christian Boltz (cboltz)
tags: added: aa-kernel
James Page (james-page)
tags: added: openstack-snap
Lance (lhartung)
information type: Public → Public Security
information type: Public Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.