Public bug reported:
When setting a features-file in /etc/apparmor/apparmor.conf (and using policies
for this feature-set) certain operations are DENIED, although they should be
allowed.
This occurs for example when running an Ubuntu kernel with Debian Buster
apparmor.
Steps for reproducing:
* Starting from a minimal Buster VM (apparmor 2.13.2-10)
* Install unbound (one example) - apparmor confinement works as expected
* Install a kernel from Ubuntu (tested with: 5.0.0-25.26 from disco and
5.2.0-15.16 from eoan)
* Reboot - unbound fails to start - the following messages are in `dmesg`:
```
[ 3.109740] audit: type=1400 audit(1567527034.644:9): apparmor="DENIED"
operation="create" profile="/usr/sbin/unbound" pid=516 comm="unbound"
family="unix" sock_type="stream" protocol=0 requested_mask="create"
denied_mask="create" addr=none
[ 3.113969] audit: type=1400 audit(1567527034.652:10): apparmor="DENIED"
operation="create" profile="/usr/sbin/unbound" pid=516 comm="unbound"
family="unix" sock_type="stream" protocol=0 requested_mask="create"
denied_mask="create" addr=none
[ 5.322119] audit: type=1400 audit(1567527036.856:21): apparmor="DENIED"
operation="create" profile="/usr/sbin/unbound" pid=549 comm="unbound"
family="unix" sock_type="stream" protocol=0 requested_mask="create"
denied_mask="create" addr=none
[ 5.324621] audit: type=1400 audit(1567527036.860:22): apparmor="DENIED"
operation="create" profile="/usr/sbin/unbound" pid=549 comm="unbound"
family="unix" sock_type="stream" protocol=0 requested_mask="create"
denied_mask="create" addr=none
[ 5.326335] audit: type=1400 audit(1567527036.860:23): apparmor="DENIED"
operation="create" profile="/usr/sbin/unbound" pid=549 comm="unbound"
family="inet6" sock_type="dgram" protocol=0 requested_mask="create"
denied_mask="create"
```
The problem does not occur when:
* booting the corresponding mainline kernels (5.0.18 and 5.29)
* booting debian kernels (5.2.9-2 from testing+sid and 4.19.0-5-amd64 from
buster)
* the features-file is changed to reflect the features present in Ubuntu kernels
* the features-file option is removed (commented out) in
/etc/apparmor/apparmor.conf
Opening the bug against linux and not apparmor, because it looks to me like the
issue might be in
the Ubuntu patches.
Glad to provide further information and help testing!
Thanks for all your great work!
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmor
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1842459
Title:
apparmor abi-feature pinning not working with Disco and Eoan kernels
Status in linux package in Ubuntu:
New
Bug description:
When setting a features-file in /etc/apparmor/apparmor.conf (and using
policies for this feature-set) certain operations are DENIED, although they
should be allowed.
This occurs for example when running an Ubuntu kernel with Debian Buster
apparmor.
Steps for reproducing:
* Starting from a minimal Buster VM (apparmor 2.13.2-10)
* Install unbound (one example) - apparmor confinement works as expected
* Install a kernel from Ubuntu (tested with: 5.0.0-25.26 from disco and
5.2.0-15.16 from eoan)
* Reboot - unbound fails to start - the following messages are in `dmesg`:
```
[ 3.109740] audit: type=1400 audit(1567527034.644:9): apparmor="DENIED"
operation="create" profile="/usr/sbin/unbound" pid=516 comm="unbound"
family="unix" sock_type="stream" protocol=0 requested_mask="create"
denied_mask="create" addr=none
[ 3.113969] audit: type=1400 audit(1567527034.652:10): apparmor="DENIED"
operation="create" profile="/usr/sbin/unbound" pid=516 comm="unbound"
family="unix" sock_type="stream" protocol=0 requested_mask="create"
denied_mask="create" addr=none
[ 5.322119] audit: type=1400 audit(1567527036.856:21): apparmor="DENIED"
operation="create" profile="/usr/sbin/unbound" pid=549 comm="unbound"
family="unix" sock_type="stream" protocol=0 requested_mask="create"
denied_mask="create" addr=none
[ 5.324621] audit: type=1400 audit(1567527036.860:22): apparmor="DENIED"
operation="create" profile="/usr/sbin/unbound" pid=549 comm="unbound"
family="unix" sock_type="stream" protocol=0 requested_mask="create"
denied_mask="create" addr=none
[ 5.326335] audit: type=1400 audit(1567527036.860:23): apparmor="DENIED"
operation="create" profile="/usr/sbin/unbound" pid=549 comm="unbound"
family="inet6" sock_type="dgram" protocol=0 requested_mask="create"
denied_mask="create"
```
The problem does not occur when:
* booting the corresponding mainline kernels (5.0.18 and 5.29)
* booting debian kernels (5.2.9-2 from testing+sid and 4.19.0-5-amd64 from
buster)
* the features-file is changed to reflect the features present in Ubuntu
kernels
* the features-file option is removed (commented out) in
/etc/apparmor/apparmor.conf
Opening the bug against linux and not apparmor, because it looks to me like
the issue might be in
the Ubuntu patches.
Glad to provide further information and help testing!
Thanks for all your great work!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1842459/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
