Can't create nested AppArmor namespaces
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Medium
|
Unassigned | ||
apparmor (Ubuntu) |
Confirmed
|
High
|
Ubuntu Security Team | ||
linux (Ubuntu) |
Confirmed
|
High
|
Ubuntu Security Team |
Bug Description
A user with CAP_MAC_ADMIN in the init namespace can create an AppArmor policy namespace and load a profile belonging to that AppArmor namespace. Once that's done, the user can confine a process with that namespaced AppArmor profile and enter into a user namespace. That process can then load additional AppArmor profiles inside of the AppArmor and user namespace. Here's an example:
We need to set up the namespace, n1, and load the profile, p1.
$ export rules="file, signal, unix, dbus, ptrace, mount, pivot_root, capability,"
$ sudo mkdir /sys/kernel/
$ echo "profile p1 { $rules }" | sudo apparmor_parser -qrn n1
Now we enter into confinement using the AppArmor namespace and profile and then enter into an unprivileged user namespace
$ aa-exec -n n1 -p p1 -- unshare -Ur
We can now load profiles as the privileged user inside of the unprivileged user namespace
# echo "profile test {}" | apparmor_parser -qr
The reason for this bug report is that we cannot create a nested AppArmor policy namespace inside of the unprivileged user namespace
# mkdir /sys/kernel/
mkdir: cannot create directory ‘/sys/kernel/
If that worked, we could adjust LXD to read /sys/kernel/
tags: | added: bot-stop-nagging |
Changed in linux (Ubuntu): | |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
Changed in apparmor (Ubuntu): | |
importance: | Undecided → High |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
tags: | added: aa-kernel |
summary: |
- Can't created nested AppArmor namespaces + Can't create nested AppArmor namespaces |
Changed in apparmor: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
tags: | added: cscc |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1652101
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.