[apparmor] AppArmor treats regular NFS file access as network op
Markus Kuhn
Markus.Kuhn at cl.cam.ac.uk
Fri Oct 12 13:15:03 UTC 2018
AppArmor as shipping in Ubuntu 18.04 blocks processes from
accessing NFS-mounted files with
apparmor="DENIED" operation="sendmsg" requested_mask="send" denied_mask="send"
unless network access is granted:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499
Is this really by design or just a bug?
Does the documentation warn about this?
This is certainly unexpected, as the user process never opens a socket or
calls sendmsg(), and merely tries to open a normal file for
which it has AppArmor file-path permissions. When a process covered
by a profile accesses a file in an NFS-mounted file system,
any socket operations related to that are performed either by the kernel,
or, after a kernel upcall, by NFS helper processes such as automount,
rpc.gssd (for sec=krb5 Kerberos authentication) and nfsidmap (for NFSv4
uid<->name mapping), running as a system user.
This has certainly been causing problems, e.g. for users of "snap"
and "man" with NFS-mounted $HOME.
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1662552
It would be very useful if AppArmor could distinguish between
explicit network traffic created by an application that opens
sockets, and implicit network traffic caused by an application
merely accessing files on an already-mounted networked file system.
Markus
--
Markus Kuhn, Computer Laboratory, University of Cambridge
http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain
More information about the AppArmor
mailing list