[apparmor] AVC apparmor="ALLOWED" operation="exec" info="no new privs" error=-1

Mikhail Morfikov mmorfikov at gmail.com
Sat Oct 7 17:34:05 UTC 2017


On 2017-10-07 18:26, Christian Boltz wrote:
> Hello,
> 
> Am Samstag, 7. Oktober 2017, 17:34:45 CEST schrieb Mikhail Morfikov:
>> After updating the kernel from 4.12 -> 4.13, some of my programs
>> stopped working, even though they have profiles in the "complain
>> mode". Here's an example of a message that appears in the system log:
>>
>> AVC apparmor="ALLOWED" operation="exec" info="no new privs" error=-1
>> profile="/bin/app_1" name="/bin/app_2" pid=60616 comm="app_1"
>> requested_mask="x" denied_mask="x" fsuid=104 ouid=0
>> target="/bin/app_2"
>>
>> According to this log, app_1 has its profile and it wanted to execute
>> app_2. The app_1 profile has the following rule:
>>
>> /bin/app_2 rPUx,
>>
>> Before upgrading the kernel, everything was fine, but now (even in the
>> complain mode), the app doesn't work well -- it simply stopped
>> working at all, and only removing the profiles can make it work
>> again.
>>
>> So what is wrong in this case? It has the permission to execute the
>> app_2, but it looks like that it doesn't work anymore.
> 
> You probably have   NoNewPrivileges=true   in the systemd unit starting 
> your service, and due to a change in the kernel, this also means it no 
> longer allows switching to another profile.
Actually I don't have that, but maybe something implies it.

> 
> The easiest (and unfortunately less secure) workaround is not to use 
> NoNewPrivileges if you need to switch to another profile.
> 
> You could also patch that unfortune restriction away: 
>     http://paste.opensuse.org/12822406
> 
> 
> This topic was discussed on IRC yesterday, so let me quote the relevant 
> lines (slightly shortened) with some more details:
> 
> <jjohansen> so the long term solution is for us come up with a scheme to 
>     lock the profiles in a stack that existed at the point of no-new-
>     privs and then allow the rest in the stack to transition
> <jjohansen> so we have a pseudo plan for dealing with it but the devil 
>     is in the details (or implementation)
> <jjohansen> sadly atm you just can't have no-new-privs and profile 
>     transitions, that was something established by Linus
> <jjohansen> he didn't want/believe that LSMs should be able to
>     "override" the tasks decision to lock down privilege changes
> <jjohansen> the LSMs have made arguments for being able to continue to 
>     reduce privs, and selinux just landed something to that effect
> 
> 
> Regards,
> 
> Christian Boltz
> 
> 
> 
I think I'll change my profiles to "fix" this issue, but if I understand
correctly, now all "PUx" and "Cx -> ..." has to be replaced with "ix" (+
appropriate rules), right?



More information about the AppArmor mailing list