This bug is awaiting verification that the linux-azure/5.15.0-1109.118
kernel in -proposed solves the problem. Please test the kernel and
update this bug with the results. If the problem is solved, change the
tag 'verification-needed-jammy-linux-azure' to 'verification-done-jammy-
linux-azure'. If the problem still exists, change the tag 'verification-
needed-jammy-linux-azure' to 'verification-failed-jammy-linux-azure'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: kernel-spammed-jammy-linux-azure-v2 verification-needed-jammy-linux-azure
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2121257
Title:
[SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user
namespaces
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Jammy:
Fix Released
Status in linux source package in Noble:
Fix Released
Status in linux source package in Plucky:
Fix Released
Status in linux source package in Questing:
Fix Released
Bug description:
[ Impact ]
Apparmor-confined applications running in lxc containers may encounter denials
when attempting to access hard links or unix sockets which would not be denied
outside a user namespace. This occurs because the userns uid is not converted
to a kuid before the permissions check.
This affects applications confined by apparmor and running in user
namespaces.
The user who originally reported this described missing keyboard input for
Firefox running in a LXD container due to EPERM against the ibus socket.
[ Test Plan ]
lxc launch ubuntu:24.04 podia # on Ubuntu 24.04 host
lxc shell podia
Hard links:
```
cat > linkit.aa <<EOF
#include <tunables/global>
profile linkit {
#include <abstractions/base>
/usr/bin/ln mr,
audit owner /root/link l,
}
EOF
apparmor_parser linkit.aa
echo long > chain
aa-exec -p linkit ln chain link
```
Expected result:
success (code 0)
Audit message on dmesg (no denials)
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="link" class="file" namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="linkit" name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l" target="/root/chain" fsuid=1000000 ouid=0
Unix sockets:
```
cat > sockit.aa <<EOF
#include <tunables/global>
profile sockit {
#include <abstractions/base>
/usr/bin/nc.openbsd mr,
audit owner /root/sock rw,
}
EOF
apparmor_parser sockit.aa
nc -lkU sock &
aa-exec -p sockit nc -U sock
```
Expected result:
open socket (Ctrl-C to exit)
Audit message on dmesg (no denials)
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="connect" class="file" namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit" name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
[ Where problems could occur ]
The patches modify code that is only called when apparmor mediates access to
unix sockets or hard links, so if the patches are incorrect we would expect
to see denials or other failures related to hard links or unix sockets.
[ Other Information ]
Original mailing list submissions:
https://lore.kernel.org/linux-security-module/20250416224209.904863-2-gabriel.totev@zetier.com/T/
https://lists.ubuntu.com/archives/apparmor/2025-April/013602.html
Upstream patches:
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5bf96d20fd787e4909b755de4705d52f3458836
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3fa0af4cc8a31d4139ee85a7b0e3d9b4f37b3093
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121257/+subscriptions
Комментариев нет:
Отправить комментарий