** Description changed:
[ Impact ]
Apparmor-confined applications running in lxc containers may encounter denials
- when attempting to access hard links or unix sockets which would not fail
+ when attempting to access hard links or unix sockets which would not be denied
outside a user namespace. This occurs because the userns uid is not converted
to a kuid before the permissions check.
This affects applications confined by apparmor and running in user
namespaces.
The user who originally reported this described missing keyboard input for
Firefox running in a LXD container due to EPERM against the ibus socket.
[ Test Plan ]
lxc launch ubuntu:24.04 podia # on Ubuntu 24.04 host
lxc shell podia
Hard links:
```
cat > linkit.aa <<EOF
#include <tunables/global>
profile linkit {
#include <abstractions/base>
/usr/bin/ln mr,
audit owner /root/link l,
}
EOF
apparmor_parser linkit.aa
echo long > chain
aa-exec -p linkit ln chain link
```
Expected result:
success (code 0)
No denials on dmesg
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="link" class="file"
namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="linkit"
name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l"
target="/root/chain" fsuid=1000000 ouid=0
Unix sockets:
```
cat > sockit.aa <<EOF
#include <tunables/global>
profile sockit {
#include <abstractions/base>
/usr/bin/nc.openbsd mr,
audit owner /root/sock rw,
}
EOF
apparmor_parser sockit.aa
nc -lkU sock &
aa-exec -p sockit nc -U sock # permission denied (check host journal below)
```
Expected result:
open socket (Ctrl-C to exit)
No denials on dmesg
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="connect" class="file"
namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit"
name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr"
fsuid=1000000 ouid=0
[ Where problems could occur ]
+ The patches modify code that is only called when apparmor mediates access to
+ unix sockets or hard links, so if the patches are incorrect we would expect
+ to see denials or other failures related to hard links or unix sockets.
+
[ Other Information ]
Original mailing list submissions:
https://lore.kernel.org/linux-security-module/[email protected]/T/
https://lists.ubuntu.com/archives/apparmor/2025-April/013602.html
Upstream patches:
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5bf96d20fd787e4909b755de4705d52f3458836
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3fa0af4cc8a31d4139ee85a7b0e3d9b4f37b3093
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2121257
Title:
[SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user
namespaces
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Jammy:
In Progress
Status in linux source package in Noble:
In Progress
Status in linux source package in Plucky:
In Progress
Status in linux source package in Questing:
Fix Released
Bug description:
[ Impact ]
Apparmor-confined applications running in lxc containers may encounter denials
when attempting to access hard links or unix sockets which would not be denied
outside a user namespace. This occurs because the userns uid is not converted
to a kuid before the permissions check.
This affects applications confined by apparmor and running in user
namespaces.
The user who originally reported this described missing keyboard input for
Firefox running in a LXD container due to EPERM against the ibus socket.
[ Test Plan ]
lxc launch ubuntu:24.04 podia # on Ubuntu 24.04 host
lxc shell podia
Hard links:
```
cat > linkit.aa <<EOF
#include <tunables/global>
profile linkit {
#include <abstractions/base>
/usr/bin/ln mr,
audit owner /root/link l,
}
EOF
apparmor_parser linkit.aa
echo long > chain
aa-exec -p linkit ln chain link
```
Expected result:
success (code 0)
No denials on dmesg
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="link" class="file"
namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="linkit"
name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l"
target="/root/chain" fsuid=1000000 ouid=0
Unix sockets:
```
cat > sockit.aa <<EOF
#include <tunables/global>
profile sockit {
#include <abstractions/base>
/usr/bin/nc.openbsd mr,
audit owner /root/sock rw,
}
EOF
apparmor_parser sockit.aa
nc -lkU sock &
aa-exec -p sockit nc -U sock # permission denied (check host journal below)
```
Expected result:
open socket (Ctrl-C to exit)
No denials on dmesg
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="connect" class="file"
namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit"
name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr"
fsuid=1000000 ouid=0
[ Where problems could occur ]
The patches modify code that is only called when apparmor mediates access to
unix sockets or hard links, so if the patches are incorrect we would expect
to see denials or other failures related to hard links or unix sockets.
[ Other Information ]
Original mailing list submissions:
https://lore.kernel.org/linux-security-module/[email protected]/T/
https://lists.ubuntu.com/archives/apparmor/2025-April/013602.html
Upstream patches:
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5bf96d20fd787e4909b755de4705d52f3458836
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3fa0af4cc8a31d4139ee85a7b0e3d9b4f37b3093
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121257/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
