Ubuntu
snapd package

update network-bind interface for netlink when fine-grained netlink mediation is available

Bug #1499897 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

See this from the network-bind interface:

# java apps request this but seem to work fine without it. Netlink sockets
# are used to talk to kernel subsystems though and since apps run as root,
# allowing blanket access needs to be carefully considered. Kernel capabilities
# checks (which apparmor mediates) *should* be enough to keep abuse down,
# however Linux capabilities can be quite broad and there have been CVEs in
# this area. The issue is complicated because reservied policy groups like
# 'network-admin' and 'network-firewall' have legitimate use for this rule,
# however a network facing server shouldn't typically be running with these
# policy groups. LP: #1499897
# Note: for now, don't explicitly deny this noisy denial so --devmode isn't
# broken but eventually we may conditionally deny this.
#deny network netlink dgram,

When we have fine-grained netlink mediation we'll be in a position to know what to allow and not allow.

See original description
Jamie Strandboge (jdstrand)
Changed in ubuntu-core-security (Ubuntu):
status: New → Confirmed
tags: added: apparmor application-confinement
Jamie Strandboge (jdstrand)
summary: - update network-service cap for netlink when fine-grained netlink
- mediation is available
+ update network-bind cap for netlink when fine-grained netlink mediation
+ is available
affects: ubuntu-core-security (Ubuntu) → snapd (Ubuntu)
tags: added: snapd-interface
description: updated
Jamie Strandboge (jdstrand)
summary: - update network-bind cap for netlink when fine-grained netlink mediation
- is available
+ update network-bind interface for netlink when fine-grained netlink
+ mediation is available
Changed in snapd (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Netlink mediation is in 2.26.

Changed in snapd (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.