Hello, Am Samstag, 7. Oktober 2017, 17:34:45 CEST schrieb Mikhail Morfikov: > After updating the kernel from 4.12 -> 4.13, some of my programs > stopped working, even though they have profiles in the "complain > mode". Here's an example of a message that appears in the system log: > > AVC apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 > profile="/bin/app_1" name="/bin/app_2" pid=60616 comm="app_1" > requested_mask="x" denied_mask="x" fsuid=104 ouid=0 > target="/bin/app_2" > > According to this log, app_1 has its profile and it wanted to execute > app_2. The app_1 profile has the following rule: > > /bin/app_2 rPUx, > > Before upgrading the kernel, everything was fine, but now (even in the > complain mode), the app doesn't work well -- it simply stopped > working at all, and only removing the profiles can make it work > again. > > So what is wrong in this case? It has the permission to execute the > app_2, but it looks like that it doesn't work anymore.
You probably have NoNewPrivileges=true in the systemd unit starting
your service, and due to a change in the kernel, this also means it no
longer allows switching to another profile.
The easiest (and unfortunately less secure) workaround is not to use
NoNewPrivileges if you need to switch to another profile.
You could also patch that unfortune restriction away:
http://paste.opensuse.org/12822406
This topic was discussed on IRC yesterday, so let me quote the relevant
lines (slightly shortened) with some more details:
<jjohansen> so the long term solution is for us come up with a scheme to
lock the profiles in a stack that existed at the point of no-new-
privs and then allow the rest in the stack to transition
<jjohansen> so we have a pseudo plan for dealing with it but the devil
is in the details (or implementation)
<jjohansen> sadly atm you just can't have no-new-privs and profile
transitions, that was something established by Linus
<jjohansen> he didn't want/believe that LSMs should be able to
"override" the tasks decision to lock down privilege changes
<jjohansen> the LSMs have made arguments for being able to continue to
reduce privs, and selinux just landed something to that effect
Regards,
Christian Boltz
--
the oursourcing company was good about one thing: grammar :-)
they can make a non-sense Chinese translation right in grammar :-)
[Marguerite Su in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
