Public bug reported:
See this from the network-service policy group:
# java apps request this but seem to work fine without it. Netlink sockets
# are used to talk to kernel subsystems though and since apps run as root,
# allowing blanket access needs to be carefully considered. Kernel capabilities
# checks (which apparmor mediates) *should* be enough to keep abuse down,
# however Linux capabilities can be quite broad and there have been CVEs in
# this area. The issue is complicated because reservied policy groups like
# 'network-admin' and 'network-firewall' have legitimate use for this rule,
# however a network facing server shouldn't typically be running with these
# policy groups. For now, explicitly deny to silence the denial. LP: #
deny network netlink dgram,
When we have fine-grained netlink mediation we'll be in a position to
know what to allow and not allow.
** Affects: ubuntu-core-security (Ubuntu)
Importance: Undecided
Status: Confirmed
** Tags: apparmor application-confinement
** Changed in: ubuntu-core-security (Ubuntu)
Status: New => Confirmed
** Tags added: apparmor application-confinement
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1499897
Title:
update network-service cap for netlink when fine-grained netlink
mediation is available
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-core-security/+bug/1499897/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
