** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2077413
Title:
apparmor unconfined profile blocks signal sending
Status in AppArmor:
New
Status in apparmor package in Ubuntu:
New
Bug description:
Dear friends,
if I'm not missing anything it looks like we have one more bug with
unconfined AppArmor profiles.
Reproducer description.
====================
1. Create 4 files with the following content:
# cat apparmor_signal_test_wrap.sh
#!/bin/sh
cat /proc/self/attr/apparmor/current
./apparmor_signal_test.sh
kill -9 $(cat test.pid)
# cat apparmor_signal_test.sh
#!/bin/sh
cat /proc/self/attr/apparmor/current
sleep 1000 &
echo $! > test.pid
# cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap
#include <tunables/global>
"/home/ubuntu/apparmor_signal_test_wrap.sh" flags=(unconfined) {
#include <abstractions/base>
capability,
dbus,
file,
network,
}
# cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test
#include <tunables/global>
"/home/ubuntu/apparmor_signal_test.sh" {
#include <abstractions/base>
capability,
dbus,
file,
network,
}
2. Load AppArmor profiles:
apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test
apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap
3. run program
# ./apparmor_signal_test_wrap.sh
/home/ubuntu/apparmor_signal_test_wrap.sh (unconfined)
/home/ubuntu/apparmor_signal_test.sh (enforce)
./apparmor_signal_test_wrap.sh: 7: kill: Permission denied
4. check dmesg:
[ 4043.092218] audit: type=1400 audit(1724153768.037:191):
apparmor="DENIED" operation="signal" class="signal"
profile="/home/ubuntu/apparmor_signal_test.sh" pid=10561
comm="apparmor_signal" requested_mask="receive" denied_mask="receive"
signal=kill peer="/home/ubuntu/apparmor_signal_test_wrap.sh"
Expected behavior:
./apparmor_signal_test_wrap.sh should exit without any errors.
====================
This bug affects LXD when we enable a new unconfined mode (in lxd-support
snapd interface).
Originally, this problem was reported as a comment in another LP bug for
AppArmor:
https://bugs.launchpad.net/apparmor/+bug/2067900/comments/2
but it looks like problem is deeper in this case.
We had to revert:
https://github.com/canonical/lxd-pkg-snap/pull/489
because of this and a few other issues.
System info:
# cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
# uname -a
Linux ubuntu 6.8.0-40-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5
10:34:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
# apt info apparmor
Package: apparmor
Version: 4.0.1really4.0.0-beta3-0ubuntu0.1
# apparmor_parser -V
AppArmor parser version 4.0.0~beta3
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2018 Canonical Ltd.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2077413/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
