[DROPPED Jammy]: APPLIED: [SRU][J/N/P][PATCH 0/2] Apparmor: Unshifted uids for hardlinks and unix sockets in user namespaces
Stefan Bader
stefan.bader at canonical.com
Thu Sep 4 07:05:46 UTC 2025
On 01/09/2025 15:21, Stefan Bader wrote:
> On 26/08/2025 20:05, Wesley Hershberger wrote:
>> From: Wesley Hershberger <wesley.hershberger at canonical.com>
>>
>> BugLink: https://bugs.launchpad.net/bugs/2121257
>>
>> [ Impact ]
>>
>> Apparmor-confined applications running in lxc containers may encounter
>> denials
>> when attempting to access hard links or unix sockets which would not
>> be denied
>> outside a user namespace. This occurs because the userns uid is not
>> converted
>> to a kuid before the permissions check.
>>
>> This affects applications confined by apparmor and running in user
>> namespaces.
>>
>> The user who originally reported this described missing keyboard input
>> for
>> Firefox running in a LXD container due to EPERM against the ibus socket.
>>
>> [ Test Plan ]
>>
>> lxc launch ubuntu:24.04 podia # on Ubuntu 24.04 host
>> lxc shell podia
>>
>> Hard links:
>> ```
>> cat > linkit.aa <<EOF
>> #include <tunables/global>
>>
>> profile linkit {
>> #include <abstractions/base>
>>
>> /usr/bin/ln mr,
>>
>> audit owner /root/link l,
>> }
>> EOF
>> apparmor_parser linkit.aa
>>
>> echo long > chain
>> aa-exec -p linkit ln chain link
>> ```
>>
>> Expected result:
>>
>> success (code 0)
>> No denials on dmesg
>>
>> Actual result:
>>
>> permission denied
>>
>> $ dmesg | tail
>> ...
>> apparmor="DENIED" operation="link" class="file" namespace="root//lxd-
>> podia_<var-snap-lxd-common-lxd>" profile="linkit" name="/root/link"
>> pid=1655 comm="ln" requested_mask="l" denied_mask="l" target="/root/
>> chain" fsuid=1000000 ouid=0
>>
>> Unix sockets:
>> ```
>> cat > sockit.aa <<EOF
>> #include <tunables/global>
>>
>> profile sockit {
>> #include <abstractions/base>
>>
>> /usr/bin/nc.openbsd mr,
>>
>> audit owner /root/sock rw,
>> }
>> EOF
>> apparmor_parser sockit.aa
>>
>> nc -lkU sock &
>> aa-exec -p sockit nc -U sock
>> ```
>>
>> Expected result:
>>
>> open socket (Ctrl-C to exit)
>> No denials on dmesg
>>
>> Actual result:
>>
>> permission denied
>>
>> $ dmesg | tail
>> ...
>> apparmor="DENIED" operation="connect" class="file" namespace="root//
>> lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit" name="/root/
>> sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr"
>> fsuid=1000000 ouid=0
>>
>> [ Where problems could occur ]
>>
>> The patches modify code that is only called when apparmor mediates
>> access to
>> unix sockets or hard links, so if the patches are incorrect we would
>> expect
>> to see denials or other failures related to hard links or unix sockets.
>>
The patches have been dropped from 22.4/Jammy (5.15 kernel) because the
fail to compile.
/build/jammy/security/apparmor/file.c: In function 'aa_path_link':
/build/jammy/security/apparmor/file.c:466:9: error: unknown type name
'vfsuid_t'; did you mean 'uuid_t'?
466 | vfsuid_t vfsuid =
i_uid_into_vfsuid(mnt_idmap(target.mnt), inode);
| ^~~~~~~~
| uuid_t
CC kernel/bpf/prog_iter.o
CC lib/buildid.o
CC [M] drivers/s390/cio/ccwgroup.o
CC security/integrity/iint.o
/build/jammy/security/apparmor/file.c:466:27: error: implicit
declaration of function 'i_uid_into_vfsuid'; did you mean
'i_uid_into_mnt'? [-Werror=implicit-function-declaration]
466 | vfsuid_t vfsuid =
i_uid_into_vfsuid(mnt_idmap(target.mnt), inode);
| ^~~~~~~~~~~~~~~~~
| i_uid_into_mnt
CC block/blk-mq-sysfs.o
CC lib/clz_tab.o
/build/jammy/security/apparmor/file.c:466:45: error: implicit
declaration of function 'mnt_idmap' [-Werror=implicit-function-declaration]
466 | vfsuid_t vfsuid =
i_uid_into_vfsuid(mnt_idmap(target.mnt), inode);
| ^~~~~~~~~
CC [M] lib/raid6/tables.o
CC security/integrity/evm/evm_secfs.o
CC kernel/trace/trace_export.o
/build/jammy/security/apparmor/file.c:468:24: error: implicit
declaration of function 'vfsuid_into_kuid'
[-Werror=implicit-function-declaration]
468 | .uid = vfsuid_into_kuid(vfsuid),
| ^~~~~~~~~~~~~~~~
/build/jammy/security/apparmor/file.c:467:33: warning: missing braces
around initializer [-Wmissing-braces]
467 | struct path_cond cond = {
| ^
468 | .uid = vfsuid_into_kuid(vfsuid),
| { }
CC [M] drivers/s390/char/fs3270.o
cc1: some warnings being treated as errors
>> [ Other Information ]
>>
>> Original mailing list submissions:
>> https://lore.kernel.org/linux-security-module/20250416224209.904863-2-
>> gabriel.totev at zetier.com/T/
>> https://lists.ubuntu.com/archives/apparmor/2025-April/013602.html
>>
>> Upstream patches:
>> https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/
>> linux.git/commit/?id=c5bf96d20fd787e4909b755de4705d52f3458836
>> https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/
>> linux.git/commit/?id=3fa0af4cc8a31d4139ee85a7b0e3d9b4f37b3093
>>
>> Gabriel Totev (2):
>> apparmor: shift ouid when mediating hard links in userns
>> apparmor: shift uid when mediating af_unix in userns
>>
>> security/apparmor/af_unix.c | 8 ++++++--
>> security/apparmor/file.c | 6 ++++--
>> 2 files changed, 10 insertions(+), 4 deletions(-)
>>
>
>
> Applied to plucky,noble,jammy:linux/master-next. Thanks.
>
> -Stefan
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250904/52ca2785/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250904/52ca2785/attachment-0001.sig>
More information about the kernel-team
mailing list