complain mode blocks access to nsfs (/proc/self/ns/*) without exec rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
On snappy we discovered that the 'ip netns list' command would fail even in devmode (complain mode for apparmor). Steps to reproduce on up to date Ubuntu classic desktop 16.04 system:
1. sudo snap install --devmode hello-world
2. Run ip netns list:
$ sudo /snap/bin/
bash-4.3# ip netns list
open("/
/var/log/syslog only shows ALLOWED entries. Adding the following rule to /var/lib/
/bin/ip ix,
$ sudo /snap/bin/
bash-4.3# ip netns list && echo "It worked!"
It worked!
bash-4.3#
Here is a reduced test case that demonstrates the problem:
1. save the following to ./open-
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sched.h>
#include <sys/mount.h>
int main (int argc, char *argv[])
{
int fd;
if (unshare(
perror("failed");
exit(1);
}
if (mount("none", "/", NULL, MS_REC | MS_SLAVE, NULL) != 0) {
perror("failed");
exit(1);
}
printf("Opening /proc/self/
fflush(stdout);
fd = open("/
if (fd == -1) {
perror(
exit(1);
}
printf(
return 0;
}
2. Save the following to ./profile:
#include <tunables/global>
profile test (attach_
#include <abstractions/base>
# In complain mode, without this rule:
#
#/**/
#
# then the program is unable to open /proc/self/ns/net:
# $ sudo aa-exec -p test -- sh -c './open-
# Opening /proc/self/ns/net
# failed: Permission denied
#
# But with the rule:
# $ sudo aa-exec -p test -- sh -c './open-
# Opening /proc/self/ns/net
# success
}
3. Run the following:
$ gcc -o open-proc-
Opening /proc/self/ns/net
failed: Permission denied
If you uncomment '/**/open-
$ gcc -o open-proc-
Opening /proc/self/ns/net
success
This has an impact on snappy in that people must connect interfaces in devmode when they wouldn't necessarily have to otherwise. For 'ip netns' users on snappy, this means:
1. be sure to specify 'plugs: [network-control]' in snapcraft.yaml
2. Install in devmode like normal. Eg: sudo snap install --devmode /path/to/your/snap
3. Connect the network-control interface. Eg: sudo snap connect SNAP_NAME:
description: | updated |
description: | updated |
Changed in apparmor: | |
status: | New → Confirmed |
description: | updated |
tags: | added: aa-kernel |
tags: | added: openstack-snap |
information type: | Public → Public Security |
information type: | Public Security → Public |
Thanks for the reduced test case. I've verified the bug, using the reduced test case, in Xenial:
$ cat /proc/version_ signature
Ubuntu 4.4.0-36.55-generic 4.4.16
$ dpkg -l | grep apparmor
ii apparmor 2.10.95-0ubuntu2.2 amd64 user-space parser utility for AppArmor
...