2016-12-07 22:47:21 |
Jamie Strandboge |
bug |
|
|
added bug |
2016-12-07 22:50:12 |
Jamie Strandboge |
description |
With this profile:
#include <tunables/global>
profile test (attach_disconnected) {
#include <abstractions/base>
# ip netns add/delete foo
/bin/ip ixr,
network netlink raw,
/ r,
/run/netns/ rw,
mount options=(rw, rshared) -> /run/netns/,
mount options=(rw, bind) /run/netns/ -> /run/netns/,
mount options=(rw, bind) / -> /run/netns/*,
umount /,
/run/netns/* rw,
capability sys_admin,
# ip netns set foo bar
capability net_admin,
# ip netns identify $$
ptrace (trace),
# ip netns pids foo
capability sys_ptrace,
# ip netns exec foo /bin/sh
mount options=(rw, rslave) /, # PROBLEMATIC RULE
#mount,
umount /sys/,
}
I get a denial with 'ip netns exec' that I can't resolve without a bare mount rule:
$ sudo apparmor_parser -r ~/apparmor.profile
$ sudo aa-exec -p test -- ip netns add foo
$ sudo aa-exec -p test -- ip netns list
foo
$ sudo aa-exec -p test -- ip netns exec foo /bin/sh
"mount --make-rslave /" failed: Permission denied
The denial is:
Dec 7 16:42:51 sec-xenial-amd64 kernel: [ 3270.314236] audit: type=1400 audit(1481150571.245:319): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="test" name="/" pid=4789 comm="ip" flags="rw, rslave" |
With this profile:
#include <tunables/global>
profile test (attach_disconnected) {
#include <abstractions/base>
# ip netns add/delete foo
/bin/ip ixr,
network netlink raw,
/ r,
/run/netns/ rw,
mount options=(rw, rshared) -> /run/netns/,
mount options=(rw, bind) /run/netns/ -> /run/netns/,
mount options=(rw, bind) / -> /run/netns/*,
umount /,
/run/netns/* rw,
capability sys_admin,
# ip netns set foo bar
capability net_admin,
# ip netns identify $$
ptrace (trace),
# ip netns pids foo
capability sys_ptrace,
# ip netns exec foo /bin/sh
mount options=(rw, rslave) /, # PROBLEMATIC RULE
#mount options=(rw, rslave), # WORKS
#mount, # WORKS
umount /sys/,
/bin/dash ixr,
}
I get a denial with 'ip netns exec' that I can't resolve without a bare mount rule:
$ sudo apparmor_parser -r ~/apparmor.profile
$ sudo aa-exec -p test -- ip netns add foo
$ sudo aa-exec -p test -- ip netns list
foo
$ sudo aa-exec -p test -- ip netns exec foo /bin/sh
"mount --make-rslave /" failed: Permission denied
The denial is:
Dec 7 16:42:51 sec-xenial-amd64 kernel: [ 3270.314236] audit: type=1400 audit(1481150571.245:319): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="test" name="/" pid=4789 comm="ip" flags="rw, rslave" |
|
2016-12-07 22:52:13 |
Jamie Strandboge |
description |
With this profile:
#include <tunables/global>
profile test (attach_disconnected) {
#include <abstractions/base>
# ip netns add/delete foo
/bin/ip ixr,
network netlink raw,
/ r,
/run/netns/ rw,
mount options=(rw, rshared) -> /run/netns/,
mount options=(rw, bind) /run/netns/ -> /run/netns/,
mount options=(rw, bind) / -> /run/netns/*,
umount /,
/run/netns/* rw,
capability sys_admin,
# ip netns set foo bar
capability net_admin,
# ip netns identify $$
ptrace (trace),
# ip netns pids foo
capability sys_ptrace,
# ip netns exec foo /bin/sh
mount options=(rw, rslave) /, # PROBLEMATIC RULE
#mount options=(rw, rslave), # WORKS
#mount, # WORKS
umount /sys/,
/bin/dash ixr,
}
I get a denial with 'ip netns exec' that I can't resolve without a bare mount rule:
$ sudo apparmor_parser -r ~/apparmor.profile
$ sudo aa-exec -p test -- ip netns add foo
$ sudo aa-exec -p test -- ip netns list
foo
$ sudo aa-exec -p test -- ip netns exec foo /bin/sh
"mount --make-rslave /" failed: Permission denied
The denial is:
Dec 7 16:42:51 sec-xenial-amd64 kernel: [ 3270.314236] audit: type=1400 audit(1481150571.245:319): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="test" name="/" pid=4789 comm="ip" flags="rw, rslave" |
With this profile:
#include <tunables/global>
profile test (attach_disconnected) {
#include <abstractions/base>
# ip netns add/delete foo
/bin/ip ixr,
network netlink raw,
/ r,
/run/netns/ rw,
mount options=(rw, rshared) -> /run/netns/,
mount options=(rw, bind) /run/netns/ -> /run/netns/,
mount options=(rw, bind) / -> /run/netns/*,
umount /,
/run/netns/* rw,
capability sys_admin,
# ip netns set foo bar
capability net_admin,
# ip netns identify $$
ptrace (trace),
# ip netns pids foo
capability sys_ptrace,
# ip netns exec foo /bin/sh
mount options=(rw, rslave) /, # PROBLEMATIC RULE
#mount options=(rw, rslave), # WORKS
#mount, # WORKS
umount /sys/,
/bin/dash ixr,
}
I get a denial with 'ip netns exec' that I can't resolve without a mount rule that doesn't specify the srcname:
$ sudo apparmor_parser -r ~/apparmor.profile
$ sudo aa-exec -p test -- ip netns add foo
$ sudo aa-exec -p test -- ip netns list
foo
$ sudo aa-exec -p test -- ip netns exec foo /bin/sh
"mount --make-rslave /" failed: Permission denied
The denial is:
Dec 7 16:42:51 sec-xenial-amd64 kernel: [ 3270.314236] audit: type=1400 audit(1481150571.245:319): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="test" name="/" pid=4789 comm="ip" flags="rw, rslave" |
|
2017-05-09 15:05:58 |
Emily Ratliff |
apparmor: assignee |
|
John Johansen (jjohansen) |
|
2019-05-14 20:40:15 |
Jean-Mickael Guerin |
bug |
|
|
added subscriber Jean-Mickael Guerin |
2020-06-01 08:55:14 |
Dmitrii Shcherbakov |
bug |
|
|
added subscriber Dmitrii Shcherbakov |