Comment 0 for bug 1648245

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

With this profile:

#include <tunables/global>

profile test (attach_disconnected) {
#include <abstractions/base>

# ip netns add/delete foo
/bin/ip ixr,
network netlink raw,
/ r,
/run/netns/ rw,
mount options=(rw, rshared) -> /run/netns/,
mount options=(rw, bind) /run/netns/ -> /run/netns/,
mount options=(rw, bind) / -> /run/netns/*,
umount /,
/run/netns/* rw,
capability sys_admin,

# ip netns set foo bar
capability net_admin,

# ip netns identify $$
ptrace (trace),

# ip netns pids foo
capability sys_ptrace,

# ip netns exec foo /bin/sh
mount options=(rw, rslave) /, # PROBLEMATIC RULE
umount /sys/,

I get a denial with 'ip netns exec' that I can't resolve without a bare mount rule:
$ sudo apparmor_parser -r ~/apparmor.profile
$ sudo aa-exec -p test -- ip netns add foo
$ sudo aa-exec -p test -- ip netns list
$ sudo aa-exec -p test -- ip netns exec foo /bin/sh
"mount --make-rslave /" failed: Permission denied

The denial is:
Dec 7 16:42:51 sec-xenial-amd64 kernel: [ 3270.314236] audit: type=1400 audit(1481150571.245:319): apparmor="DENIED" operation="mount" info="failed srcname match" error=-13 profile="test" name="/" pid=4789 comm="ip" flags="rw, rslave"