attach_disconnected required when accessing nsfs magic file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Use an up to date uvt 16.04 VM. There is certainly a simpler reproducer but for now just adding this so it is captured
1. $ sudo apt-get install --no-install-
2. Create /etc/nagios/
#######
# Do any local nrpe configuration here
#######
server_port=5666
allowed_
command[
3. restart nrpe:
$ sudo service nagios-nrpe-server stop
$ sudo service nagios-nrpe-server start
4. verify 'check_all_disks' works without confinement or snaps:
$ /usr/lib/
DISK OK - free space: ...
5. Confine the nrpe server by creating /etc/apparmor.d
# Last Modified: Sat Jul 21 08:46:57 2012
#include <tunables/global>
/usr/sbin/nrpe {
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
capability setgid,
capability setuid,
capability dac_override,
/usr/sbin/nrpe mr,
signal (send) peer=/usr/
signal (send) peer=/etc/
/bin/dash rix,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/nagios/** r,
/{,var/
/usr/bin/who rix,
/usr/
}
/usr/lib/
#include <abstractions/base>
#include <abstractions/
signal (receive) peer=/usr/
/etc/mtab r,
@{PROC}
}
6. Load the profile and restart the daemon:
$ sudo apparmor_parser -r /etc/apparmor.
$ sudo service nagios-nrpe-server stop
$ sudo service nagios-nrpe-server start
$ sudo aa-status | grep nrpe
/usr/sbin/nrpe
/usr/sbin/nrpe (11439)
7. verify confined nrpe works:
$ /usr/lib/
DISK OK - free space: ...
8. setup a nsfs magic file (eg, could do it with snap-confine, but ip netns is easier):
$ sudo ip netns add test
9. try nrpe:
$ /usr/lib/
DISK CRITICAL - /run/netns/test is not accessible: Permission denied
kernel: [ 2348.037484] audit: type=1400 audit(147628235
You can remove the nsfs magic file with: 'sudo ip netns del test'
As a workaround for anyone using nrpe, use '-X nsfs' with check_disk. Eg: check_all_ disks]= /usr/lib/ nagios/ plugins/ check_disk -w 20% -c 10% -A -X squashfs -X nsfs
command[