** Description changed:
[ Impact ]
Apparmor-confined applications running in lxc containers may encounter denials
when attempting to access hard links or unix sockets which would not be denied
outside a user namespace. This occurs because the userns uid is not converted
to a kuid before the permissions check.
This affects applications confined by apparmor and running in user
namespaces.
The user who originally reported this described missing keyboard input for
Firefox running in a LXD container due to EPERM against the ibus socket.
[ Test Plan ]
lxc launch ubuntu:24.04 podia # on Ubuntu 24.04 host
lxc shell podia
Hard links:
```
cat > linkit.aa <<EOF
#include <tunables/global>
profile linkit {
#include <abstractions/base>
/usr/bin/ln mr,
audit owner /root/link l,
}
EOF
apparmor_parser linkit.aa
echo long > chain
aa-exec -p linkit ln chain link
```
Expected result:
success (code 0)
- No denials on dmesg
+ Audit message on dmesg (no denials)
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="link" class="file"
namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="linkit"
name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l"
target="/root/chain" fsuid=1000000 ouid=0
Unix sockets:
```
cat > sockit.aa <<EOF
#include <tunables/global>
profile sockit {
#include <abstractions/base>
/usr/bin/nc.openbsd mr,
audit owner /root/sock rw,
}
EOF
apparmor_parser sockit.aa
nc -lkU sock &
- aa-exec -p sockit nc -U sock # permission denied (check host journal below)
+ aa-exec -p sockit nc -U sock
```
Expected result:
open socket (Ctrl-C to exit)
- No denials on dmesg
+ Audit message on dmesg (no denials)
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="connect" class="file"
namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit"
name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr"
fsuid=1000000 ouid=0
[ Where problems could occur ]
The patches modify code that is only called when apparmor mediates access to
unix sockets or hard links, so if the patches are incorrect we would expect
to see denials or other failures related to hard links or unix sockets.
[ Other Information ]
Original mailing list submissions:
https://lore.kernel.org/linux-security-module/[email protected]/T/
https://lists.ubuntu.com/archives/apparmor/2025-April/013602.html
Upstream patches:
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5bf96d20fd787e4909b755de4705d52f3458836
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3fa0af4cc8a31d4139ee85a7b0e3d9b4f37b3093
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2121257
Title:
[SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user
namespaces
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121257/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
