[SRU][J][PATCH v2 0/2] Apparmor: Unshifted uids for hardlinks and unix sockets in user namespaces
Wesley Hershberger
wesley.hershberger at canonical.com
Thu Oct 30 14:27:27 UTC 2025
BugLink: https://bugs.launchpad.net/bugs/2121257
[ Impact ]
Apparmor-confined applications running in lxc containers may encounter denials
when attempting to access hard links or unix sockets which would not be denied
outside a user namespace. This occurs because the userns uid is not converted
to a kuid before the permissions check.
This affects applications confined by apparmor and running in user namespaces.
The user who originally reported this described missing keyboard input for
Firefox running in a LXD container due to EPERM against the ibus socket.
[ Test Plan ]
lxc launch ubuntu:24.04 podia # on Ubuntu 24.04 host
lxc shell podia
Hard links:
```
cat > linkit.aa <<EOF
#include <tunables/global>
profile linkit {
#include <abstractions/base>
/usr/bin/ln mr,
audit owner /root/link l,
}
EOF
apparmor_parser linkit.aa
echo long > chain
aa-exec -p linkit ln chain link
```
Expected result:
success (code 0)
No denials on dmesg
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="link" class="file" namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="linkit" name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l" target="/root/chain" fsuid=1000000 ouid=0
Unix sockets:
```
cat > sockit.aa <<EOF
#include <tunables/global>
profile sockit {
#include <abstractions/base>
/usr/bin/nc.openbsd mr,
audit owner /root/sock rw,
}
EOF
apparmor_parser sockit.aa
nc -lkU sock &
aa-exec -p sockit nc -U sock
```
Expected result:
open socket (Ctrl-C to exit)
No denials on dmesg
Actual result:
permission denied
$ dmesg | tail
...
apparmor="DENIED" operation="connect" class="file" namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit" name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
[ Where problems could occur ]
The patches modify code that is only called when apparmor mediates access to
unix sockets or hard links, so if the patches are incorrect we would expect
to see denials or other failures related to hard links or unix sockets.
[ Other Information ]
Original mailing list submissions:
https://lore.kernel.org/linux-security-module/20250416224209.904863-2-gabriel.totev@zetier.com/T/
https://lists.ubuntu.com/archives/apparmor/2025-April/013602.html
Upstream patches:
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5bf96d20fd787e4909b755de4705d52f3458836
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3fa0af4cc8a31d4139ee85a7b0e3d9b4f37b3093
V1 -> V2: Backport for 5.15 (see backport descriptions for upstream references)
Gabriel Totev (2):
apparmor: shift ouid when mediating hard links in userns
apparmor: shift uid when mediating af_unix in userns
security/apparmor/af_unix.c | 8 ++++++--
security/apparmor/file.c | 6 ++++--
2 files changed, 10 insertions(+), 4 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list