AppArmor treats regular NFS file access as network op

Bug #1784499 reported by Daniel Richard G.
134
This bug affects 26 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned
snapd
Invalid
Undecided
Unassigned
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

I am using AppArmor 2.12-4ubuntu5 on Ubuntu 18.04/bionic.

I have the usr.bin.man profile enforced, and home directories in NFS.

The log excerpt copied below is the result of a single invocation of "man ls" by an unprivileged user. (The program did display the man page correctly to the user.)

It does not seem appropriate for AppArmor to report the man(1) program as having attempted to contact the NFS server directly, when it only tried to access an NFS-served file in the normal way. "man" is not a network-aware program and the log below misleadingly implies otherwise.

----------------

Jul 30 17:38:35 darkstar kernel: [69963.052243] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052274] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052297] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052314] kauditd_printk_skb: 34 callbacks suppressed
Jul 30 17:38:35 darkstar kernel: [69963.052316] audit: type=1400 audit(1532986715.854:214): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
Jul 30 17:38:35 darkstar kernel: [69963.052323] audit: type=1400 audit(1532986715.854:215): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
Jul 30 17:38:35 darkstar kernel: [69963.052327] audit: type=1400 audit(1532986715.854:216): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
Jul 30 17:38:35 darkstar kernel: [69963.052339] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052363] audit: type=1400 audit(1532986715.854:217): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
Jul 30 17:38:35 darkstar kernel: [69963.052364] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052369] audit: type=1400 audit(1532986715.854:218): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
Jul 30 17:38:35 darkstar kernel: [69963.052386] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052450] audit: type=1400 audit(1532986715.854:219): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
Jul 30 17:38:35 darkstar kernel: [69963.059570] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.059640] audit: type=1400 audit(1532986715.862:220): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
Jul 30 17:38:35 darkstar kernel: [69963.061907] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.061925] audit: type=1400 audit(1532986715.862:221): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
Jul 30 17:38:35 darkstar kernel: [69963.062006] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.062014] audit: type=1400 audit(1532986715.862:222): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
Jul 30 17:38:35 darkstar kernel: [69963.066404] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.066434] audit: type=1400 audit(1532986715.866:223): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2788 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
Jul 30 17:38:35 darkstar kernel: [69963.066437] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.066462] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067504] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067535] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067548] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067560] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067590] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067622] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068322] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068338] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068454] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068493] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068525] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068704] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068733] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068754] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.091164] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.092624] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.092822] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.093069] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.093162] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.093926] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.094128] nfs: RPC call returned error 13

Revision history for this message
Daniel Richard G. (skunk) wrote :

I have an additional test case that is perhaps more immediate. Attempting to view a roff file in NFS directly:

    $ man ./zlib.3
    man: ./zlib.3: Permission denied
    No manual entry for ./zlib.3

This fails despite the permissive "/** mrixwlk" rule in the AppArmor profile. Similar output in the log as above; the denials are network-related, not file-access-related.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Markus Kuhn (markus-kuhn) wrote :

AppArmor really should restrict NFS access only via the file-path rules, not via the network rules, since if an application accesses a file via NFS, all related network traffic is initiated and controlled by the kernel (or by kernel helper processes like automount, rpc.gssd and nfsidmap), and not by the application.

Workaround (for /usr/bin/man only):

Add to /etc/apparmor.d/local/usr.bin.man the lines

  # TCP/UDP network access for NFS
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,

then run

# systemctl reload apparmor

This really should be fixed in the kernel, but until then, perhaps adding a widely-included /etc/apparmor.d/abstractions/nfs with the above lines would be useful, as /usr/bin/man is just one example of an affected application.

See also bug #1662552

Revision history for this message
Markus Kuhn (markus-kuhn) wrote :
Revision history for this message
Daniel Richard G. (skunk) wrote :

Thanks for looking into this Markus. I'm surprised that the kernel pieces needed to make this work as expected have yet to be fully integrated.

Ingar Smedstad (ingsme)
no longer affects: apparmor
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I'm marking this bug as a property (good or bad is in the eye of the beholder) of the kernel stack. The snapd project cannot do anything about it.

Changed in apparmor:
status: New → Confirmed
Changed in snapd:
status: New → Invalid
Revision history for this message
John Johansen (jjohansen) wrote :

zyga well patches are welcome ;-)

Revision history for this message
John Johansen (jjohansen) wrote :

With that said, some networking work is being done this cycle and we will try to address this.

Revision history for this message
clickwir (clickwir) wrote :

FWIW, I still see this on a fresh Ubuntu 20.04 install. My NFS server is also Ubuntu 20.04.

Linux server01 5.4.0-37-generic #41-Ubuntu SMP Wed Jun 3 18:57:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

[1129462.984558] audit: type=1400 audit(1592950067.469:72821): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2490588 comm="man" laddr=10.x.x.x lport=846 faddr=10.x.x.x fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
[1129462.984563] nfs: RPC call returned error 13

My server /etc/exports looks like this:
/path *(rw,async,insecure,mp=/path,all_squash,no_subtree_check)

My client's fstab just uses 'defaults', nothing else. But here's what 'mount' shows:
10.x.x.x:/path on /path type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.x.x.x,local_lock=none,addr=10.x.x.x)

Revision history for this message
rikka (rikka0w0) wrote :

This bug still exists in the latest Ubuntu 22.04 Live image. When I netboot the image and apply another lower layer (NFS-based), I still get "nfs rpc call returned error 13" in my dmesg. Intensive google searching lead me to this thread. This bug causes the Firefox (provided via snap) not functional.

My kernel args look like this:
initrd=initrd nfsroot=${nfs-linux-boot}/kubuntu2204 netboot=nfs boot=casper ip=dhcp mitigations=off utc=no ignore_uuid

My solution was to append "apparmor=0" to the kernel args to fully disable the AppArmor. Now snap and firefox work again. I believe this is not the best solution.

Revision history for this message
John Johansen (jjohansen) wrote :

Yes, unfortunately the network work was deferred, its still a wip but is not scheduled as a work item for the cycle. With that said we still hope to get this fixed, I just can't promise it.

Revision history for this message
John Johansen (jjohansen) wrote :

@rikka0w0 are you willing to test a kernel patch for this issue?

Revision history for this message
John Johansen (jjohansen) wrote :

This is fixed in the 6.0 kernel and later. So Lunar (23.04) ...

Changed in apparmor:
status: Confirmed → Fix Released
Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.