[pkg-apparmor] Bug#1054123: Bug#1054123: apparmor breaks nfs root

Christian Boltz debian-bugs at cboltz.de
Tue Oct 17 22:21:43 BST 2023 

Hello,

(cross-posting to the referenced bug so that the information appears in 
both bugs)

Am Dienstag, 17. Oktober 2023, 14:18:43 CEST schrieb Anton Ivanov:
> The default profile denies network functionality and it breaks
> man and other software which has an apparmor profile. They stop
> working on NFS.
>
> For an example see Debian bug 1054115
>
> While it is possible to solve it on a case by case basis, the
> right bugfix is to check if root and/or /usr are on NFS and
> load an extra profile to allow network access.
>
> Alternatively, the kernel should stop treating network filesystem
> access as network access for apparmor purposes. That, however,
> is likely to a be a bit difficult.
[...]
> Kernel: Linux 5.10.0-22-amd64 (SMP w/12 CPU threads)

This issue was fixed in kernel 6.0 [1] - which means your 5.10.0 kernel 
is too old and doesn't contain the fix yet.

Unfortunately I don't know the exact commit, or how hard it would be to 
backport the fix to an older kernel. (If you are interested in 
backporting, I'd recommend to ask John Johansen for details.)

If upgrading to a newer kernel is not an option, a possible workaround 
is to add
    network inet stream,
    network inet6 stream,
to the affected profile or an abstraction - or to abstractions/base if you 
really want it in all profiles.

Note: These two rules allow _all_ TCP/IP network access, not only NFS.

Also note that abstractions/nameservice already contains these two rules 
(for DNS resolution etc.), so this workaround is already accidentally in 
place in some profiles ;-)


Regards,

Christian Boltz

[1] see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499
    comment 13
-- 
Having presentation after lunch break when sun is shinning really sucks.
[Josef Reidinger in yast-devel]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20231017/d4f552f4/attachment-0001.sig>

More information about the pkg-apparmor-team mailing list