AppArmor treats regular NFS file access as network op
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned | ||
snapd |
Invalid
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I am using AppArmor 2.12-4ubuntu5 on Ubuntu 18.04/bionic.
I have the usr.bin.man profile enforced, and home directories in NFS.
The log excerpt copied below is the result of a single invocation of "man ls" by an unprivileged user. (The program did display the man page correctly to the user.)
It does not seem appropriate for AppArmor to report the man(1) program as having attempted to contact the NFS server directly, when it only tried to access an NFS-served file in the normal way. "man" is not a network-aware program and the log below misleadingly implies otherwise.
----------------
Jul 30 17:38:35 darkstar kernel: [69963.052243] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052274] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052297] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052314] kauditd_printk_skb: 34 callbacks suppressed
Jul 30 17:38:35 darkstar kernel: [69963.052316] audit: type=1400 audit(153298671
Jul 30 17:38:35 darkstar kernel: [69963.052323] audit: type=1400 audit(153298671
Jul 30 17:38:35 darkstar kernel: [69963.052327] audit: type=1400 audit(153298671
Jul 30 17:38:35 darkstar kernel: [69963.052339] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052363] audit: type=1400 audit(153298671
Jul 30 17:38:35 darkstar kernel: [69963.052364] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052369] audit: type=1400 audit(153298671
Jul 30 17:38:35 darkstar kernel: [69963.052386] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.052450] audit: type=1400 audit(153298671
Jul 30 17:38:35 darkstar kernel: [69963.059570] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.059640] audit: type=1400 audit(153298671
Jul 30 17:38:35 darkstar kernel: [69963.061907] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.061925] audit: type=1400 audit(153298671
Jul 30 17:38:35 darkstar kernel: [69963.062006] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.062014] audit: type=1400 audit(153298671
Jul 30 17:38:35 darkstar kernel: [69963.066404] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.066434] audit: type=1400 audit(153298671
Jul 30 17:38:35 darkstar kernel: [69963.066437] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.066462] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067504] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067535] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067548] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067560] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067590] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.067622] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068322] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068338] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068454] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068493] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068525] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068704] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068733] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.068754] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.091164] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.092624] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.092822] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.093069] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.093162] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.093926] nfs: RPC call returned error 13
Jul 30 17:38:35 darkstar kernel: [69963.094128] nfs: RPC call returned error 13
no longer affects: | apparmor |
I have an additional test case that is perhaps more immediate. Attempting to view a roff file in NFS directly:
$ man ./zlib.3
man: ./zlib.3: Permission denied
No manual entry for ./zlib.3
This fails despite the permissive "/** mrixwlk" rule in the AppArmor profile. Similar output in the log as above; the denials are network-related, not file-access- related.