[pkg-apparmor] Help needed understanding ntp AppArmor profile missing AF_UNIX deny

John Johansen john.johansen at canonical.com
Tue Dec 29 19:58:10 GMT 2020 

On 12/28/20 11:59 PM, intrigeri wrote:
> Hi John,
> 
> John Johansen (2020-09-15):
>> On 9/15/20 12:55 AM, intrigeri wrote:
>>> John Johansen (2019-05-07):
>>>> The af_unix mediation has been bumped from the 5.2 pull request to
>>>> 5.3 as we ran into so isses and need to rework a bit around LSM
>>>> the LSM stacking patches.
>>>
>>> I'm curious: how would an updated timeline look like?
>>>
>> this got further delayed. I was working on it to try to make 5.10 but
>> atm I think it is unlikely we will get it into 5.10, which means it
>> will be 5.11 at earliest
> 
> Could you please share an updated timeline?
> 
> (Whether we can hope this goes into mainline soonish or not impacts
> design decisions we have to do in the next couple weeks at Tails.)
> 

So I missed the 5.11 merge window, and am now targeting 5.12 (though I can't
guarantee it will land atm as it could get naks/require more revisions).
There have been numerous minor changes, and one big feature moved forward
that upstream af_unix depend on that break the old abi (set of changes
included below for those interested) for the upstreaming effort, and
getting those tested and making sure we can have compatibility patches for
distros that carried the out of tree patches has taken more time than
planned for.


abi breaking changes between v5 and v8 af_unix mediation
- creation of anonymous sockets now mediated at create instead of use
- removal of double lock moves some mediation around potentially resulting
  in changed order of mediation on some requests. Meaning policy may need
  new rules as a differently ordered denial could have masked a permission
  request because it wasn't needed (denied).
- caching of peer label handling has changed. To be consistent with
  network_v8
- end point check for updated label changes tightens mediation in some cases
- cross check mediation and path based af_socket attribution has been
  changed so that different names/types at each end are supported.
  This is for odd cases like (a bound file based socket connecting to
  a bound file based socket).
- permissions between files, file base af_unix sockets, and
  abstract/anonymous sockets of been made consistent. (big change)

More information about the pkg-apparmor-team mailing list