"mount options=(rw, rslave) /," does not allow 'ip netns exec NAME /bin/sh'

Bug #1648245 reported by Jamie Strandboge
This bug affects 1 person
Affects Status Importance Assigned to Milestone
John Johansen

Bug Description

With this profile:

#include <tunables/global>

profile test (attach_disconnected) {
#include <abstractions/base>

# ip netns add/delete foo
/bin/ip ixr,
network netlink raw,
/ r,
/run/netns/ rw,
mount options=(rw, rshared) -> /run/netns/,
mount options=(rw, bind) /run/netns/ -> /run/netns/,
mount options=(rw, bind) / -> /run/netns/*,
umount /,
/run/netns/* rw,
capability sys_admin,

# ip netns set foo bar
capability net_admin,

# ip netns identify $$
ptrace (trace),

# ip netns pids foo
capability sys_ptrace,

# ip netns exec foo /bin/sh
mount options=(rw, rslave) /, # PROBLEMATIC RULE
#mount options=(rw, rslave), # WORKS
#mount, # WORKS
umount /sys/,

/bin/dash ixr,

I get a denial with 'ip netns exec' that I can't resolve without a mount rule that doesn't specify the srcname:
$ sudo apparmor_parser -r ~/apparmor.profile
$ sudo aa-exec -p test -- ip netns add foo
$ sudo aa-exec -p test -- ip netns list
$ sudo aa-exec -p test -- ip netns exec foo /bin/sh
"mount --make-rslave /" failed: Permission denied

The denial is:
Dec 7 16:42:51 sec-xenial-amd64 kernel: [ 3270.314236] audit: type=1400 audit(1481150571.245:319): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="test" name="/" pid=4789 comm="ip" flags="rw, rslave"

description: updated
description: updated
Emily Ratliff (emilyr)
Changed in apparmor:
assignee: nobody → John Johansen (jjohansen)
Revision history for this message
John Johansen (jjohansen) wrote :

I have verified that userspace is not generating the correctly for this rule. Dropping the / from the rule should work as a temporary workaround.

Revision history for this message
John Johansen (jjohansen) wrote :

Fix released upstream in apparmor 3.1.5, 3.0.11, and 2.13.9

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.