AppArmor

  1. Bug #1648245
  2. Activity log

Activity log for bug #1648245

Date Who What changed Old value New value Message
2016-12-07 22:47:21 Jamie Strandboge bug added bug
2016-12-07 22:50:12 Jamie Strandboge description With this profile: #include <tunables/global> profile test (attach_disconnected) { #include <abstractions/base> # ip netns add/delete foo /bin/ip ixr, network netlink raw, / r, /run/netns/ rw, mount options=(rw, rshared) -> /run/netns/, mount options=(rw, bind) /run/netns/ -> /run/netns/, mount options=(rw, bind) / -> /run/netns/*, umount /, /run/netns/* rw, capability sys_admin, # ip netns set foo bar capability net_admin, # ip netns identify $$ ptrace (trace), # ip netns pids foo capability sys_ptrace, # ip netns exec foo /bin/sh mount options=(rw, rslave) /, # PROBLEMATIC RULE #mount, umount /sys/, } I get a denial with 'ip netns exec' that I can't resolve without a bare mount rule: $ sudo apparmor_parser -r ~/apparmor.profile $ sudo aa-exec -p test -- ip netns add foo $ sudo aa-exec -p test -- ip netns list foo $ sudo aa-exec -p test -- ip netns exec foo /bin/sh "mount --make-rslave /" failed: Permission denied The denial is: Dec 7 16:42:51 sec-xenial-amd64 kernel: [ 3270.314236] audit: type=1400 audit(1481150571.245:319): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="test" name="/" pid=4789 comm="ip" flags="rw, rslave" With this profile: #include <tunables/global> profile test (attach_disconnected) { #include <abstractions/base> # ip netns add/delete foo /bin/ip ixr, network netlink raw, / r, /run/netns/ rw, mount options=(rw, rshared) -> /run/netns/, mount options=(rw, bind) /run/netns/ -> /run/netns/, mount options=(rw, bind) / -> /run/netns/*, umount /, /run/netns/* rw, capability sys_admin, # ip netns set foo bar capability net_admin, # ip netns identify $$ ptrace (trace), # ip netns pids foo capability sys_ptrace, # ip netns exec foo /bin/sh mount options=(rw, rslave) /, # PROBLEMATIC RULE #mount options=(rw, rslave), # WORKS #mount, # WORKS umount /sys/, /bin/dash ixr, } I get a denial with 'ip netns exec' that I can't resolve without a bare mount rule: $ sudo apparmor_parser -r ~/apparmor.profile $ sudo aa-exec -p test -- ip netns add foo $ sudo aa-exec -p test -- ip netns list foo $ sudo aa-exec -p test -- ip netns exec foo /bin/sh "mount --make-rslave /" failed: Permission denied The denial is: Dec 7 16:42:51 sec-xenial-amd64 kernel: [ 3270.314236] audit: type=1400 audit(1481150571.245:319): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="test" name="/" pid=4789 comm="ip" flags="rw, rslave"
2016-12-07 22:52:13 Jamie Strandboge description With this profile: #include <tunables/global> profile test (attach_disconnected) { #include <abstractions/base> # ip netns add/delete foo /bin/ip ixr, network netlink raw, / r, /run/netns/ rw, mount options=(rw, rshared) -> /run/netns/, mount options=(rw, bind) /run/netns/ -> /run/netns/, mount options=(rw, bind) / -> /run/netns/*, umount /, /run/netns/* rw, capability sys_admin, # ip netns set foo bar capability net_admin, # ip netns identify $$ ptrace (trace), # ip netns pids foo capability sys_ptrace, # ip netns exec foo /bin/sh mount options=(rw, rslave) /, # PROBLEMATIC RULE #mount options=(rw, rslave), # WORKS #mount, # WORKS umount /sys/, /bin/dash ixr, } I get a denial with 'ip netns exec' that I can't resolve without a bare mount rule: $ sudo apparmor_parser -r ~/apparmor.profile $ sudo aa-exec -p test -- ip netns add foo $ sudo aa-exec -p test -- ip netns list foo $ sudo aa-exec -p test -- ip netns exec foo /bin/sh "mount --make-rslave /" failed: Permission denied The denial is: Dec 7 16:42:51 sec-xenial-amd64 kernel: [ 3270.314236] audit: type=1400 audit(1481150571.245:319): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="test" name="/" pid=4789 comm="ip" flags="rw, rslave" With this profile: #include <tunables/global> profile test (attach_disconnected) { #include <abstractions/base> # ip netns add/delete foo /bin/ip ixr, network netlink raw, / r, /run/netns/ rw, mount options=(rw, rshared) -> /run/netns/, mount options=(rw, bind) /run/netns/ -> /run/netns/, mount options=(rw, bind) / -> /run/netns/*, umount /, /run/netns/* rw, capability sys_admin, # ip netns set foo bar capability net_admin, # ip netns identify $$ ptrace (trace), # ip netns pids foo capability sys_ptrace, # ip netns exec foo /bin/sh mount options=(rw, rslave) /, # PROBLEMATIC RULE #mount options=(rw, rslave), # WORKS #mount, # WORKS umount /sys/, /bin/dash ixr, } I get a denial with 'ip netns exec' that I can't resolve without a mount rule that doesn't specify the srcname: $ sudo apparmor_parser -r ~/apparmor.profile $ sudo aa-exec -p test -- ip netns add foo $ sudo aa-exec -p test -- ip netns list foo $ sudo aa-exec -p test -- ip netns exec foo /bin/sh "mount --make-rslave /" failed: Permission denied The denial is: Dec 7 16:42:51 sec-xenial-amd64 kernel: [ 3270.314236] audit: type=1400 audit(1481150571.245:319): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="test" name="/" pid=4789 comm="ip" flags="rw, rslave"
2017-05-09 15:05:58 Emily Ratliff apparmor: assignee John Johansen (jjohansen)
2019-05-14 20:40:15 Jean-Mickael Guerin bug added subscriber Jean-Mickael Guerin
2020-06-01 08:55:14 Dmitrii Shcherbakov bug added subscriber Dmitrii Shcherbakov