Permission denied and inconsistent behavior in complain mode with 'ip netns list' command
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
In Progress
|
Undecided
|
John Johansen | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
On 16.04 with Ubuntu 4.4.0-53.74-generic 4.4.30
With this profile:
#include <tunables/global>
profile test (attach_
#include <abstractions/base>
/{,usr/}{,s}bin/ip ixr, # COMMENT OUT THIS RULE TO SEE WEIRDNESS
capability sys_admin,
capability net_admin,
capability sys_ptrace,
network netlink raw,
ptrace (trace),
/ r,
/run/netns/ rw,
/run/netns/* rw,
mount options=(rw, rshared) -> /run/netns/,
mount options=(rw, bind) /run/netns/ -> /run/netns/,
mount options=(rw, bind) / -> /run/netns/*,
mount options=(rw, rslave) /,
mount options=(rw, rslave), # LP: #1648245
umount /sys/,
umount /,
/bin/dash ixr,
}
Everything is fine when I do:
$ sudo apparmor_parser -r /home/jamie/
$
and there are no ALLOWED entries in syslog.
However, if I comment out the '/{,usr/}{,s}bin/ip ixr,' rule, I get a permission denied and a bunch of ALLOWED entries:
$ sudo apparmor_parser -r /home/jamie/
open("/
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.862629] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870339] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870559] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870628] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870703] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870861] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870913] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871019] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871066] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871099] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871128] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871672] audit: type=1400 audit(148132488
Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871770] audit: type=1400 audit(148132488
summary: |
- Permission denied and inconsistent behavior in complain mode with 'ip' - command + Permission denied and inconsistent behavior in complain mode with 'ip + netns list' command |
Changed in linux (Ubuntu Yakkety): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
status: | Triaged → Fix Committed |
A regression was introduced in exec under complain mode by a fix to no-new-privs in a stacked situation.
This behavior should currently only be in the test kernels, and -proposed kernels (patches were applied this morning).
I have test kernels with a fix for this in people. canonical. com/~jj/ linux+jj/
http://