update network-bind interface for netlink when fine-grained netlink mediation is available
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
See this from the network-bind interface:
# java apps request this but seem to work fine without it. Netlink sockets
# are used to talk to kernel subsystems though and since apps run as root,
# allowing blanket access needs to be carefully considered. Kernel capabilities
# checks (which apparmor mediates) *should* be enough to keep abuse down,
# however Linux capabilities can be quite broad and there have been CVEs in
# this area. The issue is complicated because reservied policy groups like
# 'network-admin' and 'network-firewall' have legitimate use for this rule,
# however a network facing server shouldn't typically be running with these
# policy groups. LP: #1499897
# Note: for now, don't explicitly deny this noisy denial so --devmode isn't
# broken but eventually we may conditionally deny this.
#deny network netlink dgram,
When we have fine-grained netlink mediation we'll be in a position to know what to allow and not allow.
Changed in ubuntu-core-security (Ubuntu): | |
status: | New → Confirmed |
tags: | added: apparmor application-confinement |
summary: |
- update network-service cap for netlink when fine-grained netlink - mediation is available + update network-bind cap for netlink when fine-grained netlink mediation + is available |
affects: | ubuntu-core-security (Ubuntu) → snapd (Ubuntu) |
tags: | added: snapd-interface |
description: | updated |
summary: |
- update network-bind cap for netlink when fine-grained netlink mediation - is available + update network-bind interface for netlink when fine-grained netlink + mediation is available |
Changed in snapd (Ubuntu): | |
importance: | Undecided → Medium |
Netlink mediation is in 2.26.