Hello, this is a follow-up of the discussion on #apparmor today.
One of the patches upstreamed to Kernel 4.14 rc2 added support for network rules, which also means parts of unix events are now confined. The result are lots of denials for unix dgram and unix stream, and those denials also have a very visible user impact. For example, dhclient breaks - which means the network won't come up. In total, I had to adjust 40 of my profiles. Unfortunately 4.14 doesn't log the path involved, which makes it hard to add proper unix rules. Instead, allow network unix stream and dgram. These rules are broader than needed, but fix the denials for now to avoid user impact. The final solution will be to add proper unix rules, but for now I intend to add the following patch to the AppArmor package in openSUSE Tumbleweed. I do _not_ plan to commit this patch to AppArmor bzr because it's a temporary solution, so this mail is more FYI. Neverthless, if someone sees a serious problem with this patch, please speak up now - or wait until unix rules were upstreamed ;-) @intrigeri: You might want to grab this patch before Kernel 4.14 arrives in Debian ;-) References: https://bugzilla.opensuse.org/show_bug.cgi?id=1061195 BTW: The temporary rules are exactly what aa-logprof proposed ;-) (which also means I'll have to do some adjustments to propose unix rules instead of network unix) === modified file 'profiles/apparmor.d/abstractions/nameservice' --- profiles/apparmor.d/abstractions/nameservice 2017-09-15 20:47:26 +0000 +++ profiles/apparmor.d/abstractions/nameservice 2017-10-02 21:46:50 +0000 @@ -90,6 +90,11 @@ network inet dgram, network inet6 dgram, + # unix dgram/stream + # TODO: replace with more specific unix rules when support for unix rules arrives in the Kernel (probably in 4.15) and gives us detailed log messages + network unix dgram, + network unix stream, + # TODO: adjust when support finer-grained netlink rules # Netlink raw needed for nscd network netlink raw, Regards, Christian Boltz -- Hier möchte ich aber sehr wohl, daß ein Datenschutz besteht und ich auch der verarbeitenden Software weiter trauen kann als ich den Programmierer werfen könnte. [Princess in http://blog.koehntopp.de/archives/3090-Placebo-Forte-N.html#c27615]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor