NFS access is not transparent to processes with apparmor profile containing network rules
Bug #1724903 reported by
Zygmunt Krynicki
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
This is a spin-off of https:/
Apparmor profile needs to explicitly allow network access if a process is reading or writing files mounted over NFS. This is counter-intuitive as the actual network access is happening under the hood, by the kernel and not by the userspace code.
As a typical workaround the profile needs to contain:
network inet,
network inet6,
... but this is undesirable as it grants the process permissions it would not otherwise need.
To post a comment you must log in.