[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
@rikka0w0 are you willing to test a kernel patch for this issue? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
Yes, unfortunately the network work was deferred, its still a wip but is not scheduled as a work item for the cycle. With that said we still hope to get this fixed, I just can't promise it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
This bug still exists in the latest Ubuntu 22.04 Live image. When I
netboot the image and apply another lower layer (NFS-based), I still
get "nfs rpc call returned error 13" in my dmesg. Intensive google
searching lead me to this thread. This bug causes the Firefox (provided
via snap) not functional.
My kernel args look like this:
initrd=initrd nfsroot=${nfs-linux-boot}/kubuntu2204 netboot=nfs boot=casper
ip=dhcp mitigations=off utc=no ignore_uuid
My solution was to append "apparmor=0" to the kernel args to fully
disable the AppArmor. Now snap and firefox work again. I believe this is
not the best solution.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1784499
Title:
AppArmor treats regular NFS file access as network op
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1784499/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
FWIW, I still see this on a fresh Ubuntu 20.04 install. My NFS server is also Ubuntu 20.04. Linux server01 5.4.0-37-generic #41-Ubuntu SMP Wed Jun 3 18:57:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux [1129462.984558] audit: type=1400 audit(1592950067.469:72821): apparmor="DENIED" operation="sendmsg" profile="/usr/bin/man" pid=2490588 comm="man" laddr=10.x.x.x lport=846 faddr=10.x.x.x fport=2049 family="inet" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send" [1129462.984563] nfs: RPC call returned error 13 My server /etc/exports looks like this: /path *(rw,async,insecure,mp=/path,all_squash,no_subtree_check) My client's fstab just uses 'defaults', nothing else. But here's what 'mount' shows: 10.x.x.x:/path on /path type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.x.x.x,local_lock=none,addr=10.x.x.x) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
With that said, some networking work is being done this cycle and we will try to address this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
zyga well patches are welcome ;-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
I'm marking this bug as a property (good or bad is in the eye of the beholder) of the kernel stack. The snapd project cannot do anything about it. ** Changed in: apparmor Status: New => Confirmed ** Changed in: snapd Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
** Also affects: apparmor Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
** Also affects: apparmor Importance: Undecided Status: New ** No longer affects: apparmor ** Also affects: snapd Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
Thanks for looking into this Markus. I'm surprised that the kernel pieces needed to make this work as expected have yet to be fully integrated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
See also https://lists.ubuntu.com/archives/apparmor/2018-October/011823.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
AppArmor really should restrict NFS access only via the file-path rules, not via the network rules, since if an application accesses a file via NFS, all related network traffic is initiated and controlled by the kernel (or by kernel helper processes like automount, rpc.gssd and nfsidmap), and not by the application. Workaround (for /usr/bin/man only): Add to /etc/apparmor.d/local/usr.bin.man the lines # TCP/UDP network access for NFS network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, then run # systemctl reload apparmor This really should be fixed in the kernel, but until then, perhaps adding a widely-included /etc/apparmor.d/abstractions/nfs with the above lines would be useful, as /usr/bin/man is just one example of an affected application. See also bug #1662552 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1784499] Re: AppArmor treats regular NFS file access as network op
I have an additional test case that is perhaps more immediate. Attempting to view a roff file in NFS directly: $ man ./zlib.3 man: ./zlib.3: Permission denied No manual entry for ./zlib.3 This fails despite the permissive "/** mrixwlk" rule in the AppArmor profile. Similar output in the log as above; the denials are network- related, not file-access-related. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1784499 Title: AppArmor treats regular NFS file access as network op To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
