"mount options=(rw, rslave) /," does not allow 'ip netns exec NAME /bin/sh'
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
John Johansen |
Bug Description
With this profile:
#include <tunables/global>
profile test (attach_
#include <abstractions/base>
# ip netns add/delete foo
/bin/ip ixr,
network netlink raw,
/ r,
/run/netns/ rw,
mount options=(rw, rshared) -> /run/netns/,
mount options=(rw, bind) /run/netns/ -> /run/netns/,
mount options=(rw, bind) / -> /run/netns/*,
umount /,
/run/netns/* rw,
capability sys_admin,
# ip netns set foo bar
capability net_admin,
# ip netns identify $$
ptrace (trace),
# ip netns pids foo
capability sys_ptrace,
# ip netns exec foo /bin/sh
mount options=(rw, rslave) /, # PROBLEMATIC RULE
#mount options=(rw, rslave), # WORKS
#mount, # WORKS
umount /sys/,
/bin/dash ixr,
}
I get a denial with 'ip netns exec' that I can't resolve without a mount rule that doesn't specify the srcname:
$ sudo apparmor_parser -r ~/apparmor.profile
$ sudo aa-exec -p test -- ip netns add foo
$ sudo aa-exec -p test -- ip netns list
foo
$ sudo aa-exec -p test -- ip netns exec foo /bin/sh
"mount --make-rslave /" failed: Permission denied
The denial is:
Dec 7 16:42:51 sec-xenial-amd64 kernel: [ 3270.314236] audit: type=1400 audit(148115057
description: | updated |
description: | updated |
Changed in apparmor: | |
assignee: | nobody → John Johansen (jjohansen) |
I have verified that userspace is not generating the correctly for this rule. Dropping the / from the rule should work as a temporary workaround.