[Group.of.nepali.translators] [Bug 1648903] Re: Permission denied and inconsistent behavior in complain mode with 'ip netns list' command

Thu, 23 Feb 2017 07:02:59 -0800 

** Also affects: linux (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1648903

Title:
  Permission denied and inconsistent behavior in complain mode with 'ip
  netns list' command

Status in AppArmor:
  New
Status in linux package in Ubuntu:
  Incomplete
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Yakkety:
  Fix Committed

Bug description:
  On 16.04 with Ubuntu 4.4.0-53.74-generic 4.4.30

  With this profile:

  #include <tunables/global>

  profile test (attach_disconnected,complain) {
  #include <abstractions/base>

  /{,usr/}{,s}bin/ip ixr,  # COMMENT OUT THIS RULE TO SEE WEIRDNESS

  capability sys_admin,
  capability net_admin,
  capability sys_ptrace,

  network netlink raw,

  ptrace (trace),

  / r,
  /run/netns/ rw,
  /run/netns/* rw,

  mount options=(rw, rshared) -> /run/netns/,
  mount options=(rw, bind) /run/netns/ -> /run/netns/,
  mount options=(rw, bind) / -> /run/netns/*,
  mount options=(rw, rslave) /,
  mount options=(rw, rslave), # LP: #1648245
  umount /sys/,
  umount /,

  
  /bin/dash ixr,
  }

  Everything is fine when I do:
  $ sudo apparmor_parser -r /home/jamie/apparmor.profile && sudo aa-exec -p 
test -- sh -c 'ip netns list'
  $

  and there are no ALLOWED entries in syslog.

  
  However, if I comment out the '/{,usr/}{,s}bin/ip ixr,' rule, I get a 
permission denied and a bunch of ALLOWED entries:

  $ sudo apparmor_parser -r /home/jamie/apparmor.profile && sudo aa-exec -p 
test -- sh -c 'ip netns list'
  open("/proc/self/ns/net"): Permission denied
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.862629] audit: type=1400 
audit(1481324889.782:469): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="test" pid=4314 comm="apparmor_parser"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870339] audit: type=1400 
audit(1481324889.790:470): apparmor="ALLOWED" operation="exec" profile="test" 
name="/bin/ip" pid=4317 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 
ouid=0 target="test//null-/bin/ip"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870559] audit: type=1400 
audit(1481324889.790:471): apparmor="ALLOWED" operation="open" 
profile="test//null-/bin/ip" name="/etc/ld.so.cache" pid=4317 comm="ip" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870628] audit: type=1400 
audit(1481324889.790:472): apparmor="ALLOWED" operation="open" 
profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/libdl-2.23.so" 
pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870703] audit: type=1400 
audit(1481324889.790:473): apparmor="ALLOWED" operation="open" 
profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=4317 
comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870861] audit: type=1400 
audit(1481324889.790:474): apparmor="ALLOWED" operation="file_mprotect" 
profile="test//null-/bin/ip" name="/bin/ip" pid=4317 comm="ip" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870913] audit: type=1400 
audit(1481324889.790:475): apparmor="ALLOWED" operation="file_mprotect" 
profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=4317 
comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871019] audit: type=1400 
audit(1481324889.790:476): apparmor="ALLOWED" operation="create" 
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" 
sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871066] audit: type=1400 
audit(1481324889.790:477): apparmor="ALLOWED" operation="setsockopt" 
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" 
sock_type="raw" protocol=0 requested_mask="setopt" denied_mask="setopt"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871099] audit: type=1400 
audit(1481324889.790:478): apparmor="ALLOWED" operation="setsockopt" 
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" 
sock_type="raw" protocol=0 requested_mask="setopt" denied_mask="setopt"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871128] audit: type=1400 
audit(1481324889.790:479): apparmor="ALLOWED" operation="bind" 
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" 
sock_type="raw" protocol=0 requested_mask="bind" denied_mask="bind"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871672] audit: type=1400 
audit(1481324889.794:480): apparmor="ALLOWED" operation="getsockname" 
profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" 
sock_type="raw" protocol=0 requested_mask="getattr" denied_mask="getattr"
  Dec  9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871770] audit: type=1400 
audit(1481324889.794:481): apparmor="ALLOWED" operation="open" info="Failed 
name lookup - disconnected path" error=-13 profile="test//null-/bin/ip" name="" 
pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1648903/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

Reply via email to