[SRU][J][PATCH v2 2/2] apparmor: shift uid when mediating af_unix in userns

Wesley Hershberger wesley.hershberger at canonical.com
Thu Oct 30 14:27:29 UTC 2025 

From: Gabriel Totev <gabriel.totev at zetier.com>

Avoid unshifted ouids for socket file operations as observed when using
AppArmor profiles in unprivileged containers with LXD or Incus.

For example, root inside container and uid 1000000 outside, with
`owner /root/sock rw,` profile entry for nc:

/root$ nc -lkU sock & nc -U sock
==> dmesg
apparmor="DENIED" operation="connect" class="file"
namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit"
name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr"
fsuid=1000000 ouid=0 [<== should be 1000000]

Fix by performing uid mapping as per common_perm_cond() in lsm.c

Signed-off-by: Gabriel Totev <gabriel.totev at zetier.com>
Fixes: c05e705812d1 ("apparmor: add fine grained af_unix mediation")
Signed-off-by: John Johansen <john.johansen at canonical.com>
(backported from commit 3fa0af4cc8a31d4139ee85a7b0e3d9b4f37b3093)
[whershberger:
 i_uid_into_vfsuid => i_uid_into_mnt: 234a3113f28d02973ecf501f83d,
 mnt_idmap => mnt_user_ns: 256c8aed2b420a7c57ed6469fbb0f8310f5aeec9,
 path => u->path: bc6e5f6933b8e7b74858ac830d5b9b4ca10a099a]
Signed-off-by: Wesley Hershberger <wesley.hershberger at canonical.com>
---
 security/apparmor/af_unix.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c
index d9344ee66af9..2aa1f3c86651 100644
--- a/security/apparmor/af_unix.c
+++ b/security/apparmor/af_unix.c
@@ -11,6 +11,7 @@
  * License.
  */
 
+#include <linux/fs.h>
 #include <net/tcp_states.h>
 
 #include "include/audit.h"
@@ -62,8 +63,11 @@ static inline int unix_fs_perm(const char *op, u32 mask, struct aa_label *label,
 					      "deleted entry", -EACCES));
 	} else {
 		/* the sunpath may not be valid for this ns so use the path */
-		struct path_cond cond = { u->path.dentry->d_inode->i_uid,
-					  u->path.dentry->d_inode->i_mode
+		struct inode *inode = u->path.dentry->d_inode;
+		kuid_t vfsuid = i_uid_into_mnt(mnt_user_ns(u->path.mnt), inode);
+		struct path_cond cond = {
+			.uid = vfsuid,
+			.mode = inode->i_mode,
 		};
 
 		return aa_path_perm(op, label, &u->path, flags, mask, &cond);
-- 
2.34.1

More information about the kernel-team mailing list