AppArmor

support fine-grained netlink mediation

Bug #1669552 reported by Jamie Strandboge on 2017-03-02

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

'man 7 netlink' describes various netlink families that can be used such as NETLINK_FIREWALL, NETLINK_ROUTE, NETLINK_KOBJECT_UEVENT, etc. The netlink families work just like the socket 'protocol' field, such that apparmor could be extended to support them. One way to do this would be to list the various netlink families as part of PROTOCOL in:

network [ DOMAIN ] [ TYPE | PROTOCOL ]

such that we can have:

  network netlink firewall,
  network netlink route,
  network netlink kobject_uevent,

'firewall', 'route', 'kobject_uevent', etc would only be valid when domain is 'netlink'.

I noticed that selinux is mediating reads and writes to these sockets and if apparmor were modified for the above, it would be great to also mediate recvmsg/sendmsg since some applications use netlink sockets to listen for events (eg, recv for udev, multicast, etc) and have no need for sending. Is this already planned as part of bug #796588 (ie, fine-grained network mediation)?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.