ACK: Re: [SRU][J][PATCH v2 0/2] Apparmor: Unshifted uids for hardlinks and unix sockets in user namespaces

Thu Nov 6 12:53:16 UTC 2025

On Thu, Oct 30, 2025 at 09:27:27AM -0500, Wesley Hershberger wrote:
> BugLink: https://bugs.launchpad.net/bugs/2121257
> 
> [ Impact ]
> 
> Apparmor-confined applications running in lxc containers may encounter denials
> when attempting to access hard links or unix sockets which would not be denied
> outside a user namespace. This occurs because the userns uid is not converted
> to a kuid before the permissions check.
> 
> This affects applications confined by apparmor and running in user namespaces.
> 
> The user who originally reported this described missing keyboard input for
> Firefox running in a LXD container due to EPERM against the ibus socket.
> 
> [ Test Plan ]
> 
> lxc launch ubuntu:24.04 podia # on Ubuntu 24.04 host
> lxc shell podia
> 
> Hard links:
> ```
> cat > linkit.aa <<EOF
> #include <tunables/global>
> 
> profile linkit {
> #include <abstractions/base>
> 
> /usr/bin/ln mr,
> 
> audit owner /root/link l,
> }
> EOF
> apparmor_parser linkit.aa
> 
> echo long > chain
> aa-exec -p linkit ln chain link
> ```
> 
> Expected result:
> 
> success (code 0)
> No denials on dmesg
> 
> Actual result:
> 
> permission denied
> 
> $ dmesg | tail
> ...
> apparmor="DENIED" operation="link" class="file" namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="linkit" name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l" target="/root/chain" fsuid=1000000 ouid=0
> 
> Unix sockets:
> ```
> cat > sockit.aa <<EOF
> #include <tunables/global>
> 
> profile sockit {
> #include <abstractions/base>
> 
> /usr/bin/nc.openbsd mr,
> 
> audit owner /root/sock rw,
> }
> EOF
> apparmor_parser sockit.aa
> 
> nc -lkU sock &
> aa-exec -p sockit nc -U sock
> ```
> 
> Expected result:
> 
> open socket (Ctrl-C to exit)
> No denials on dmesg
> 
> Actual result:
> 
> permission denied
> 
> $ dmesg | tail
> ...
> apparmor="DENIED" operation="connect" class="file" namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit" name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
> 
> [ Where problems could occur ]
> 
> The patches modify code that is only called when apparmor mediates access to
> unix sockets or hard links, so if the patches are incorrect we would expect
> to see denials or other failures related to hard links or unix sockets.
> 
> [ Other Information ]
> 
> Original mailing list submissions:
> https://lore.kernel.org/linux-security-module/20250416224209.904863-2-gabriel.totev@zetier.com/T/
> https://lists.ubuntu.com/archives/apparmor/2025-April/013602.html
> 
> Upstream patches:
> https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5bf96d20fd787e4909b755de4705d52f3458836
> https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3fa0af4cc8a31d4139ee85a7b0e3d9b4f37b3093
> 
> V1 -> V2: Backport for 5.15 (see backport descriptions for upstream references)
> 
> Gabriel Totev (2):
>   apparmor: shift ouid when mediating hard links in userns
>   apparmor: shift uid when mediating af_unix in userns
> 
>  security/apparmor/af_unix.c | 8 ++++++--
>  security/apparmor/file.c    | 6 ++++--
>  2 files changed, 10 insertions(+), 4 deletions(-)
> 
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Paolo Pisati <paolo.pisati at canonical.com>
-- 
bye,
p.