This bug is missing log files that will aid in diagnosing the problem.
>From a terminal window please run:

apport-collect 1648903

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.

** Changed in: linux (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1648903

Title:
  Permission denied and inconsistent behavior in complain mode with 'ip
  netns list' command

Status in AppArmor:
  New
Status in linux package in Ubuntu:
  Incomplete
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Yakkety:
  Fix Committed

Bug description:
  On 16.04 with Ubuntu 4.4.0-53.74-generic 4.4.30

  With this profile:

  #include <tunables/global>

  profile test (attach_disconnected,complain) {
  #include <abstractions/base>

  /{,usr/}{,s}bin/ip ixr,  # COMMENT OUT THIS RULE TO SEE WEIRDNESS

  capability sys_admin,
  capability net_admin,
  capability sys_ptrace,

  network netlink raw,

  ptrace (trace),

  / r,
  /run/netns/ rw,
  /run/netns/* rw,

  mount options=(rw, rshared) -> /run/netns/,
  mount options=(rw, bind) /run/netns/ -> /run/netns/,
  mount options=(rw, bind) / -> /run/netns/*,
  mount options=(rw, rslave) /,
  mount options=(rw, rslave), # LP: #1648245
  umount /sys/,
  umount /,

  
  /bin/dash ixr,
  }

  Everything is fine when I do:
  $ sudo apparmor_parser -r /home/jamie/apparmor.profile && sudo aa-exec -p 
test -- sh -c 'ip netns list'
  $

  and there are no ALLOWED entries in syslog.

  
  However, if I comment out the '/{,usr/}{,s}bin/ip ixr,' rule, I get a 
permission denied and a bunch of ALLOWED entries:

  $ sudo apparmor_parser -r /home/jamie/apparmor.profile && sudo aa-exec -p 
test -- sh -c 'ip netns list'
  open("/proc/self/ns/net"): Permission denied
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.862629] audit: type=1400 
audit(1481324889.782:469): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="test" pid=4314 comm="apparmor_parser"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870339] audit: type=1400 
audit(1481324889.790:470): apparmor="ALLOWED" operation="exec" profile="test" 
name="/bin/ip" pid=4317 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 
ouid=0 target="test//null-/bin/ip"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870559] audit: type=1400 
audit(1481324889.790:471): apparmor="ALLOWED" operation="open" 
profile="test//null-/bin/ip" name="/etc/ld.so.cache" pid=4317 comm="ip" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870628] audit: type=1400 
audit(1481324889.790:472): apparmor="ALLOWED" operation="open" 
profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/libdl-2.23.so" 
pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870703] audit: type=1400 
audit(1481324889.790:473): apparmor="ALLOWED" operation="open" 
profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=4317 
comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870861] audit: type=1400 
audit(1481324889.790:474): apparmor="ALLOWED" operation="file_mprotect" 
profile="test//null-/bin/ip" name="/bin/ip" pid=4317 comm="ip" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870913] audit: type=1400 
audit(1481324889.790:475): apparmor="ALLOWED" operation="file_mprotect" 
profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=4317 
comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871019] audit: type=1400 
audit(1481324889.790:476): apparmor="ALLOWED" operation="create" 
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" 
sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871066] audit: type=1400 
audit(1481324889.790:477): apparmor="ALLOWED" operation="setsockopt" 
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" 
sock_type="raw" protocol=0 requested_mask="setopt" denied_mask="setopt"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871099] audit: type=1400 
audit(1481324889.790:478): apparmor="ALLOWED" operation="setsockopt" 
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" 
sock_type="raw" protocol=0 requested_mask="setopt" denied_mask="setopt"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871128] audit: type=1400 
audit(1481324889.790:479): apparmor="ALLOWED" operation="bind" 
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" 
sock_type="raw" protocol=0 requested_mask="bind" denied_mask="bind"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871672] audit: type=1400 
audit(1481324889.794:480): apparmor="ALLOWED" operation="getsockname" 
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" 
sock_type="raw" protocol=0 requested_mask="getattr" denied_mask="getattr"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871770] audit: type=1400 
audit(1481324889.794:481): apparmor="ALLOWED" operation="open" info="Failed 
name lookup - disconnected path" error=-13 profile="test//null-/bin/ip" name="" 
pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1648903/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to