Verified (for myself) that the linux/6.8.0-86.87 kernel in noble- proposed solves the problem.
The steps and output are identical to message #4 above (except of course the uname output). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2121257 Title: [SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user namespaces Status in linux package in Ubuntu: Fix Released Status in linux source package in Jammy: Deferred Status in linux source package in Noble: Fix Committed Status in linux source package in Plucky: Fix Committed Status in linux source package in Questing: Fix Released Bug description: [ Impact ] Apparmor-confined applications running in lxc containers may encounter denials when attempting to access hard links or unix sockets which would not be denied outside a user namespace. This occurs because the userns uid is not converted to a kuid before the permissions check. This affects applications confined by apparmor and running in user namespaces. The user who originally reported this described missing keyboard input for Firefox running in a LXD container due to EPERM against the ibus socket. [ Test Plan ] lxc launch ubuntu:24.04 podia # on Ubuntu 24.04 host lxc shell podia Hard links: ``` cat > linkit.aa <<EOF #include <tunables/global> profile linkit { #include <abstractions/base> /usr/bin/ln mr, audit owner /root/link l, } EOF apparmor_parser linkit.aa echo long > chain aa-exec -p linkit ln chain link ``` Expected result: success (code 0) Audit message on dmesg (no denials) Actual result: permission denied $ dmesg | tail ... apparmor="DENIED" operation="link" class="file" namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="linkit" name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l" target="/root/chain" fsuid=1000000 ouid=0 Unix sockets: ``` cat > sockit.aa <<EOF #include <tunables/global> profile sockit { #include <abstractions/base> /usr/bin/nc.openbsd mr, audit owner /root/sock rw, } EOF apparmor_parser sockit.aa nc -lkU sock & aa-exec -p sockit nc -U sock ``` Expected result: open socket (Ctrl-C to exit) Audit message on dmesg (no denials) Actual result: permission denied $ dmesg | tail ... apparmor="DENIED" operation="connect" class="file" namespace="root//lxd-podia_<var-snap-lxd-common-lxd>" profile="sockit" name="/root/sock" pid=3924 comm="nc" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0 [ Where problems could occur ] The patches modify code that is only called when apparmor mediates access to unix sockets or hard links, so if the patches are incorrect we would expect to see denials or other failures related to hard links or unix sockets. [ Other Information ] Original mailing list submissions: https://lore.kernel.org/linux-security-module/[email protected]/T/ https://lists.ubuntu.com/archives/apparmor/2025-April/013602.html Upstream patches: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5bf96d20fd787e4909b755de4705d52f3458836 https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3fa0af4cc8a31d4139ee85a7b0e3d9b4f37b3093 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121257/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
