[apparmor] [patch] temporary solution to keep users with kernel 4.14 happy

Christian Boltz apparmor at cboltz.de
Mon Oct 2 22:50:47 UTC 2017 

Hello,

this is a follow-up of the discussion on #apparmor today.

One of the patches upstreamed to Kernel 4.14 rc2 added support for 
network rules, which also means parts of unix events are now confined.

The result are lots of denials for unix dgram and unix stream, and those
denials also have a very visible user impact. For example, dhclient
breaks - which means the network won't come up. In total, I had to adjust
40 of my profiles.

Unfortunately 4.14 doesn't log the path involved, which makes it hard to
add proper unix rules. Instead, allow network unix stream and dgram.
These rules are broader than needed, but fix the denials for now to 
avoid user impact.

The final solution will be to add proper unix rules, but for now I intend
to add the following patch to the AppArmor package in openSUSE 
Tumbleweed.

I do _not_ plan to commit this patch to AppArmor bzr because it's a
temporary solution, so this mail is more FYI. Neverthless, if someone 
sees a serious problem with this patch, please speak up now - or wait 
until unix rules were upstreamed ;-)

@intrigeri: You might want to grab this patch before Kernel 4.14 
arrives in Debian ;-)

References: https://bugzilla.opensuse.org/show_bug.cgi?id=1061195


BTW: The temporary rules are exactly what aa-logprof proposed ;-)
(which also means I'll have to do some adjustments to propose unix 
rules instead of network unix)


=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice        2017-09-15 20:47:26 +0000
+++ profiles/apparmor.d/abstractions/nameservice        2017-10-02 21:46:50 +0000
@@ -90,6 +90,11 @@
   network inet  dgram,
   network inet6 dgram,
 
+  # unix dgram/stream
+  # TODO: replace with more specific unix rules when support for unix rules arrives in the Kernel (probably in 4.15) and gives us detailed log messages
+  network unix dgram,
+  network unix stream,
+
   # TODO: adjust when support finer-grained netlink rules
   # Netlink raw needed for nscd
   network netlink raw,



Regards,

Christian Boltz
-- 
Hier möchte ich aber sehr wohl, daß ein Datenschutz besteht und ich auch
der verarbeitenden Software weiter trauen kann als ich den Programmierer
werfen könnte. [Princess in
http://blog.koehntopp.de/archives/3090-Placebo-Forte-N.html#c27615]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171003/112db377/attachment-0001.sig>

More information about the AppArmor mailing list