** Summary changed: - update network-service cap for netlink when fine-grained netlink mediation is available + update network-bind cap for netlink when fine-grained netlink mediation is available
** Package changed: ubuntu-core-security (Ubuntu) => snapd (Ubuntu) ** Tags added: snapd-interface ** Description changed: - See this from the network-service policy group: + See this from the network-bind interface: # java apps request this but seem to work fine without it. Netlink sockets # are used to talk to kernel subsystems though and since apps run as root, # allowing blanket access needs to be carefully considered. Kernel capabilities # checks (which apparmor mediates) *should* be enough to keep abuse down, # however Linux capabilities can be quite broad and there have been CVEs in # this area. The issue is complicated because reservied policy groups like # 'network-admin' and 'network-firewall' have legitimate use for this rule, # however a network facing server shouldn't typically be running with these - # policy groups. For now, explicitly deny to silence the denial. LP: # - deny network netlink dgram, + # policy groups. LP: #1499897 + # Note: for now, don't explicitly deny this noisy denial so --devmode isn't + # broken but eventually we may conditionally deny this. + #deny network netlink dgram, - When we have fine-grained netlink mediation we'll be in a position to - know what to allow and not allow. + + When we have fine-grained netlink mediation we'll be in a position to know what to allow and not allow. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1499897 Title: update network-bind cap for netlink when fine-grained netlink mediation is available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1499897/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
