The LSMs respecting the nnp flag was actually mandated by Linus. So yes it breaks apparmor.
Kernel 3.5: Tasks that have nnp block apparmor policy transitions except for unconfined, as transitions in that case always result in reduced permissions. Kernel 4.13: Loosened these restrictions around stacking. That is a transition adding a new element to a stack was allowed as that is guarenteed to always reduce permissions. Ubuntu had this in Xenial (4.4) kernels. Kernel 4.17: AppArmor began tracking under what label nnp was set and using that for profile transition tests. This improved the 4.13 stacking test making containers capable of transitioning policy in the container as long as the host policy wasn't transitioned. To do more apparmor has to be able to override nnp. Selinux has managed to add an nnp override permission and get it upstream, we are looking to do the same with apparmor but I have no time line as to when it will land. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_</var/snap/lxd/common/lxd>" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_</var/snap/lxd/common/lxd>//&:lxd-ns0_<var-snap-lxd-common-lxd>:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_<var-snap-lxd-common-lxd>" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw---- 1 root audio 116, 1 Sep 16 18:02 seq crw-rw---- 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware 1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name: Inspiron 530s dmi.sys.vendor: Dell Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1844186/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
