AppArmor as shipping in Ubuntu 18.04 blocks processes from accessing NFS-mounted files with
apparmor="DENIED" operation="sendmsg" requested_mask="send" denied_mask="send" unless network access is granted: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499 Is this really by design or just a bug? Does the documentation warn about this? This is certainly unexpected, as the user process never opens a socket or calls sendmsg(), and merely tries to open a normal file for which it has AppArmor file-path permissions. When a process covered by a profile accesses a file in an NFS-mounted file system, any socket operations related to that are performed either by the kernel, or, after a kernel upcall, by NFS helper processes such as automount, rpc.gssd (for sec=krb5 Kerberos authentication) and nfsidmap (for NFSv4 uid<->name mapping), running as a system user. This has certainly been causing problems, e.g. for users of "snap" and "man" with NFS-mounted $HOME. https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1662552 It would be very useful if AppArmor could distinguish between explicit network traffic created by an application that opens sockets, and implicit network traffic caused by an application merely accessing files on an already-mounted networked file system. Markus -- Markus Kuhn, Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
