On 10/12/2018 06:15 AM, Markus Kuhn wrote: > AppArmor as shipping in Ubuntu 18.04 blocks processes from > accessing NFS-mounted files with > > apparmor="DENIED" operation="sendmsg" requested_mask="send" > denied_mask="send" > > unless network access is granted: > > https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499 > > Is this really by design or just a bug? > it is a bug in that network mediation is not complete and because of this certain things can not be handled correctly. Basically the current implementation is a coarse grained socket level first pass. Finer nuances such as packet routing and kernel services that switch credentials are not taken into account.
In this case it is support to switch the credentials of the kernel services that is missing. The necessary bits to complete network mediation* are slowly landing upstream and it is something that Ubuntu will consider SRUing. * - secid support (4.18) - act as, and kernel_t label (wip) - secmark support - partial (4.20? or 4.21) - full (wip) - finer process controls around sockets/address (wip) packets are handled by secmark > Does the documentation warn about this? > There is some documentation around NFS problems but I am sure it is missing in other areas. Base socket mediation landing upstream is a relatively new thing (though Canonical has carried a variant for years) and the goal has been to drive to complete network mediation as quick as possible. Unfortunately you are caught in a state of transition. > This is certainly unexpected, as the user process never opens a socket or > calls sendmsg(), and merely tries to open a normal file for > which it has AppArmor file-path permissions. When a process covered > by a profile accesses a file in an NFS-mounted file system, > any socket operations related to that are performed either by the kernel, > or, after a kernel upcall, by NFS helper processes such as automount, > rpc.gssd (for sec=krb5 Kerberos authentication) and nfsidmap (for NFSv4 > uid<->name mapping), running as a system user. > > This has certainly been causing problems, e.g. for users of "snap" > and "man" with NFS-mounted $HOME. > > https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1662552 > > It would be very useful if AppArmor could distinguish between > explicit network traffic created by an application that opens > sockets, and implicit network traffic caused by an application > merely accessing files on an already-mounted networked file system. > > Markus > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
