AppArmor really should restrict NFS access only via the file-path rules, not via the network rules, since if an application accesses a file via NFS, all related network traffic is initiated and controlled by the kernel (or by kernel helper processes like automount, rpc.gssd and nfsidmap), and not by the application.
Workaround (for /usr/bin/man only): Add to /etc/apparmor.d/local/usr.bin.man the lines # TCP/UDP network access for NFS network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, then run # systemctl reload apparmor This really should be fixed in the kernel, but until then, perhaps adding a widely-included /etc/apparmor.d/abstractions/nfs with the above lines would be useful, as /usr/bin/man is just one example of an affected application. See also bug #1662552 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op Status in apparmor package in Ubuntu: Confirmed Bug description: I am using AppArmor 2.12-4ubuntu5 on Ubuntu 18.04/bionic. I have the usr.bin.man profile enforced, and home directories in NFS. The log excerpt copied below is the result of a single invocation of "man ls" by an unprivileged user. (The program did display the man page correctly to the user.) It does not seem appropriate for AppArmor to report the man(1) program as having attempted to contact the NFS server directly, when it only tried to access an NFS-served file in the normal way. "man" is not a network-aware program and the log below misleadingly implies otherwise. ---------------- Jul 30 17:38:35 darkstar kernel: [69963.052243] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052274] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052297] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052314] kauditd_printk_skb: 34 callbacks suppressed Jul 30 17:38:35 darkstar kernel: [69963.052316] audit: type=1400 audit(1532986715.854:214): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052323] audit: type=1400 audit(1532986715.854:215): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052327] audit: type=1400 audit(1532986715.854:216): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052339] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052363] audit: type=1400 audit(1532986715.854:217): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052364] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052369] audit: type=1400 audit(1532986715.854:218): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=802 faddr=10.24.115.84 fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.052386] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.052450] audit: type=1400 audit(1532986715.854:219): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.059570] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.059640] audit: type=1400 audit(1532986715.862:220): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2781 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.061907] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.061925] audit: type=1400 audit(1532986715.862:221): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.062006] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.062014] audit: type=1400 audit(1532986715.862:222): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2792 comm="less" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.066404] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.066434] audit: type=1400 audit(1532986715.866:223): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2788 comm="man" laddr=X.X.X.X lport=719 faddr=Y.Y.Y.Y fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" Jul 30 17:38:35 darkstar kernel: [69963.066437] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.066462] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.067504] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.067535] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.067548] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.067560] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.067590] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.067622] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.068322] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.068338] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.068454] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.068493] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.068525] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.068704] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.068733] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.068754] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.091164] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.092624] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.092822] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.093069] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.093162] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.093926] nfs: RPC call returned error 13 Jul 30 17:38:35 darkstar kernel: [69963.094128] nfs: RPC call returned error 13 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
