[PATCH 0/2][X/Y SRU] Quiet noisy LSM denial when accessing net sysctl

Tyler Hicks tyhicks at canonical.com
Wed Jun 1 02:43:42 UTC 2016 

BugLink: https://bugs.launchpad.net/bugs/1465724

SRU Justification:

Impact: A noisy AppArmor denial is reported to the system logs when a go
program is run as a privileged user. The denial is non-fatal and is simply the
result of the proc net systctl code determining what permissions a new inode
should have. This noisy denial has a high potential to confuse snap packagers
because they may think that their application is not working under Snappy
confinement. It has a high potential to confuse Snappy users because they may
think that the snaps running on their system are malicious.

Fix: The fix was authored by Tyler Hicks and acked by Serge Hallyn. It creates
a new ns_capable() function that calls into the LSM hooks with the noaudit flag
set so that the LSM doesn't generate a denial if the application under
confinement is missing the CAP_NET_ADMIN capability.

Testcase:
  # Load a test AppArmor profile
  $ echo "profile test { file, }" | sudo apparmor_parser -rq
  # Read a proc net sysctl file as root under confinement:
  $ sudo aa-exec -p test -- cat /proc/sys/net/core/somaxconn
  128
  # Manually inspect /var/log/syslog (or, if auditd is running, /var/log/audit/audit.log) to verify that the following denial is *NOT* present:
  # audit: type=1400 audit(1462575670.000:29): apparmor="DENIED" operation="capable" profile="test" pid=1161 comm="cat" capability=12 capname="net_admin"


These two patches have been submitted upstream and acked by Serge:

  http://thread.gmane.org/gmane.linux.kernel.lsm/27927

They have not yet pulled in by the security subsystem maintainer but I
have no reason to believe that they won't be soon.

The bug affects all of our currently supported kernels but I'm only
requesting an SRU for Xenial (and for the patches to be applied to
Yakkety) because it is only a high priority bug on kernels that launch
snaps. An upcoming change to the snap launching code has the potential to
trigger this denial on every snap launch so I'm fast-pathing this bug fix
instead of waiting on it to be applied upstream.

Tyler

More information about the kernel-team mailing list