** Description changed:
[ Impact ]
Apparmor-confined applications running in lxc containers may encounter denials
- when attempting to access hard links or unix sockets which would not fail
+ when attempting to access hard links or unix sockets which would not be denied
outside a user namespace. This occurs because the userns uid is not converted
to a kuid before the permissions check.
This affects applications confined by apparmor and running in user
namespaces.
The user who originally reported this described missing keyboard input for
Firefox running in a LXD container due to EPERM against the ibus socket.
[ Test Plan ]
lxc launch ubuntu:24.04 podia # on Ubuntu 24.04 host
lxc shell podia
Hard links:
```
cat > linkit.aa <<EOF
#include <tunables/global>
profile linkit {
#include <abstractions/base>
/usr/bin/ln mr,
audit owner /root/link l,
}
EOF
apparmor_parser linkit.aa
echo long > chain
aa-exec -p linkit ln chain link
```
Expected result:
success (code 0)
No denials on dmesg
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="link" class="file"
namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="linkit"
name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l"
target="/root/chain" fsuid=1000000 ouid=0
Unix sockets:
```
cat > sockit.aa <<EOF
#include <tunables/global>
profile sockit {
#include <abstractions/base>
/usr/bin/nc.openbsd mr,
audit owner /root/sock rw,
}
EOF
apparmor_parser sockit.aa
nc -lkU sock &
aa-exec -p sockit nc -U sock # permission denied (check host journal below)
```
Expected result:
open socket (Ctrl-C to exit)
No denials on dmesg
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="connect" class="file"
namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit"
name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr"
fsuid=1000000 ouid=0
[ Where problems could occur ]
+ The patches modify code that is only called when apparmor mediates access to
+ unix sockets or hard links, so if the patches are incorrect we would expect
+ to see denials or other failures related to hard links or unix sockets.
+
[ Other Information ]
Original mailing list submissions:
https://lore.kernel.org/linux-security-module/[email protected]/T/
https://lists.ubuntu.com/archives/apparmor/2025-April/013602.html
Upstream patches:
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5bf96d20fd787e4909b755de4705d52f3458836
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3fa0af4cc8a31d4139ee85a7b0e3d9b4f37b3093
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2121257
Title:
[SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user
namespaces
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121257/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
