This was fixed in Questing 6.16.0-13.13. ** Tags added: sts
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2121257 Title: [SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user namespaces Status in linux package in Ubuntu: Fix Released Status in linux source package in Jammy: In Progress Status in linux source package in Noble: In Progress Status in linux source package in Plucky: In Progress Status in linux source package in Questing: Fix Released Bug description: [ Impact ] Apparmor-confined applications running in lxc containers may encounter denials when attempting to access hard links or unix sockets which would not fail outside a user namespace. This occurs because the userns uid is not converted to a kuid before the permissions check. This affects applications confined by apparmor and running in user namespaces. The user who originally reported this described missing keyboard input for Firefox running in a LXD container due to EPERM against the ibus socket. [ Test Plan ] lxc launch ubuntu:24.04 podia # on Ubuntu 24.04 host lxc shell podia Hard links: ``` cat > linkit.aa <<EOF #include <tunables/global> profile linkit { #include <abstractions/base> /usr/bin/ln mr, audit owner /root/link l, } EOF apparmor_parser linkit.aa echo long > chain aa-exec -p linkit ln chain link ``` Expected result: success (code 0) No denials on dmesg Actual result: permission denied $ dmesg | tail ... apparmor="DENIED" operation="link" class="file" namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="linkit" name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l" target="/root/chain" fsuid=1000000 ouid=0 Unix sockets: ``` cat > sockit.aa <<EOF #include <tunables/global> profile sockit { #include <abstractions/base> /usr/bin/nc.openbsd mr, audit owner /root/sock rw, } EOF apparmor_parser sockit.aa nc -lkU sock & aa-exec -p sockit nc -U sock # permission denied (check host journal below) ``` Expected result: open socket (Ctrl-C to exit) No denials on dmesg Actual result: permission denied $ dmesg | tail ... apparmor="DENIED" operation="connect" class="file" namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit" name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 [ Where problems could occur ] [ Other Information ] Original mailing list submissions: https://lore.kernel.org/linux-security-module/20250416224209.904863-2-gabriel.to...@zetier.com/T/ https://lists.ubuntu.com/archives/apparmor/2025-April/013602.html Upstream patches: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5bf96d20fd787e4909b755de4705d52f3458836 https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3fa0af4cc8a31d4139ee85a7b0e3d9b4f37b3093 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121257/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
