#712451 Please support AppArmor network rules

Package:
apparmor
Source:
apparmor
Description:
user-space parser utility for AppArmor
Submitter:
johnw
Date:
2023-08-03 09:03:03 UTC
Severity:
wishlist
Tags:
#712451#5
Date:
2013-06-16 07:53:11 UTC
From:
To:
Dear Maintainer,
*** Please consider answering these questions, where appropriate ***

   * What led up to the situation?
   reload apparmor rule.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   apparmor_parser -r rule

   * What was the outcome of this action?
   it show the waring message: "network rules not enforced"

   * What outcome did you expect instead?
   enforced network rules, without warning/error message.

   I think it is because debian kernel (my: linux-image-3.9-1-amd64/3.9.6-1) does not fully support apparmor, is it?
   is it ture, can you point me, where can I download the patches set,
   make the kernel support apparmor (at least support network rule).

   Do you use apparmor on debian with network rule? if yes,
   any suggestion, how to make the kernel support apparmor network rule
   on debian?

   If it is not the kernel problem, can you tell me how to make apparmor
   support network rule?

   Thank you.


*** End of the template - remove these lines ***

#712451#10
Date:
2013-06-16 08:30:44 UTC
From:
To:
Hi,

johnw wrote (16 Jun 2013 07:53:11 GMT) :

It's because the AppArmor patches about network mediation were not
merged upstream yet.

FYI Jessie's Debian kernel is not likely to ship out-of-tree AppArmor
patches, so I'm not reassigning to the linux package, but keeping it
under the apparmor package umbrella for the time being.

You may want to nag AppArmor upstream so that they have the network
mediation code merged into mainline Linux :)

Cheers,

#712451#19
Date:
2013-06-16 12:31:29 UTC
From:
To:
Ok, I am not complain, but did you talk to debian kernel team/developer
this issue?
again, I am not complain, I just want know, what (apparmor/kernel)
developer think.
If you never did it, I will open the new bug report to
linux-image(should I do it?)
thank you.

#712451#24
Date:
2013-06-16 13:26:27 UTC
From:
To:
Hi,

johnw wrote (16 Jun 2013 12:31:29 GMT) :

We talked during the Wheezy dev cycle, and they applied minimal
AppArmor patches at this time, but that was on the grounds that these
patches were well on their way to the mainline kernel, and therefore
probably would not be needed for Jessie. So I don't think it's useful
to ask them any such thing right now. The action that should be taken
now belongs upstream.

I don't think this would be a sensible move.
Please take the matter upstream instead, thanks :)

Cheers,

#712451#29
Date:
2014-01-03 03:08:34 UTC
From:
To:
intrigeri wrote (16 Jun 2013 13:26:27 GMT) :
situation. AppArmor userspace has been depending on out-of-tree kernel
patches since at least Linux 2.6.36, and there is little we can do
about it.

#712451#36
Date:
2018-04-20 08:45:24 UTC
From:
To:
Linux v4.17-rc1 now supports basic socket mediation, which will allow
us to close this bug report:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56974a6fcfef69ee0825bd66ed13e92070ac5224

:)

#712451#41
Date:
2018-04-20 15:21:42 UTC
From:
To:
Woohoo!

What's next left, DBus?

#712451#46
Date:
2018-06-13 17:44:58 UTC
From:
To:
intrigeri:

… which made it into v4.17 final :)

We could start testing our policy locally with socket
mediation enabled. To do so:

 - run Linux from Debian experimental (it currently has 4.17~rc7-1~exp1)
 - disable feature-set pinning or update the feature-set to enable
   these new features

Also, it would be nice to test Linux 4.17 with the feature-sets we
ship in Stretch and testing/sid, in order to catch any bug like
#883703 ASAP.

I'll be very busy until DebCamp so it's unlikely I do much on this
front until then (best case I'll press the right buttons to enable
this on my own system once 4.17 is in sid, but I won't have time to
test software I don't use myself).

Anyone excited?

#712451#51
Date:
2018-06-17 11:25:56 UTC
From:
To:
I am!

Currently I see no immediate breakages with Linux 4.17 and AppArmor 2.13
so far.

#712451#56
Date:
2018-06-17 11:50:13 UTC
From:
To:
```
$ sudo apt install -t experimental linux-headers-4.17.0-rc7-amd64
linux-image-4.17.0-rc7-amd64
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'linux-image-4.17.0-rc7-amd64-unsigned' instead of
'linux-image-4.17.0-rc7-amd64'
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
  linux-headers-4.17.0-rc7-amd64 : Depends: linux-compiler-gcc-7-x86 (>=
4.14.17-1~) but it is not going to be installed
E: Unable to correct problems, you have held broken packages
```

linux-compiler-gcc-7-x86 needs gcc-7 that is not available?

```
  linux-compiler-gcc-7-x86 : Depends: gcc-7 (>= 7.2.0-20~) but it is not
installable
```

gcc-7 is only in Testing. Will 4.17 be available as Stretch backport at
all..?

#712451#61
Date:
2018-06-17 11:50:58 UTC
From:
To:
Vincas Dargis:

Amazing! \o/

Nice :)

#712451#71
Date:
2018-07-15 13:33:45 UTC
From:
To:
I've managed to install 4.17.0-rc3 and 4.18.0-rc4 with equivs hack, and I did not see any immediate
problems with some lightweight testing.

Though it would be really nice to have some sort of integration test suite for apparmor-confined
packages to do some serious testing before releasing upgrades...

#712451#76
Date:
2018-07-22 12:48:37 UTC
From:
To:
Hi Vincas,

Vincas Dargis:

Great.

Both on Stretch, right?

Did you disable feature-set pinning entirely or update the feature-set
to enable the new features? If the latter, can you please share the
exact feature-set you've used?

Absolutely.

Cheers,

#712451#81
Date:
2018-07-23 16:00:51 UTC
From:
To:
Yes.

I have feature-set commented out.

Does Debian packages has infrastructure for integration tests that maintainer could run after building?

#712451#86
Date:
2018-07-24 10:26:56 UTC
From:
To:
Hi,

(John, one question for you below, please search for your name :)

Vincas Dargis:

OK!

I'm now running 4.17 from sid without feature set pinning and did not
notice any breakage either.

*But* I don't think that just upgrading to 4.17 actually gives me
network socket mediation. I have this in parser.conf:

  warn=rule-not-enforced
  warn=rule-downgraded

… and when compiling policy, I see "network rules not enforced" all
over the place.

Then I've read somewhere that network socket mediation might need
newer userspace (I'm running 2.13 from Debian experimental).

John, could you please tell me how I can benefit from the network
socket mediation feature that was merged into Linux 4.17?

Yes: autopkgtest. If you're interested in working on this, please
start a dedicated thread on the team ML or on a new bug report :)

Cheers,

#712451#91
Date:
2018-07-24 10:38:49 UTC
From:
To:
intrigeri:

John answered my question on IRC:

- "you can't yet. You will need an apparmor 3.0 beta which keeps
  getting delayed"
- "for various reasons, I won't let the network patches into the wild
  without the tie to the feature abi work"

So let's put this on the back burner until there's userspace available
to benefit from the new kernel feature.

#712451#96
Date:
2018-07-24 18:02:04 UTC
From:
To:

Aawww.. Anyway, good to know :) .

#712451#101
Date:
2019-03-02 16:20:15 UTC
From:
To:
I looked at the status of this on buster:

uname -a
Linux localhost.localdomain 4.19.0-2-amd64 #1 SMP Debian 4.19.16-1 (2019-01-17) x86_64 GNU/Linux

and the issue still can be reproduced (in the sense that telnet.netkit network access will not be blocked after enforcing the rule).

Except it is worse because this command:
sudo apparmor_parser -vr  /etc/apparmor.d/usr.bin.telnet.netkit
does not show anymore the message "network rules not enforced".

Should this be documented in /usr/share/doc/apparmor/README.Debian ?

This currently refers to: https://wiki.debian.org/AppArmor but there is no mention of this limitation in there.

Paolo

#712451#106
Date:
2019-03-30 13:58:16 UTC
From:
To:
Paolo Greppi:

FWIW, this is now mentioned in the manpage that documents the policy
language: apparmor.d(5)

Cheers,

#712451#111
Date:
2020-04-08 21:02:02 UTC
From:
To:
intrigeri:
mentions of features that does not work in Debian yet. Maybe such notice
should be placed in "Network Rules" section of the manual? Or in
"KNOWN BUGS"? So that newcomers will not be misguided (like me).

Okay, it's my bad that I have not checked explicitly if it works. But
IMO there is an issue with documentation if you can't understand from it
what is supposed to be working and what is not.

By the way, ping under apparmor fails with "ping: socket: Operation not
permitted", while wget or curl works pretty well under the same profile.
Don't know if it is supposed to be like it.

Heenec

#712451#116
Date:
2020-04-09 05:35:40 UTC
From:
To:
Hi,

Heenec (2020-04-09):

On my sid system I see this on top of apparmor.d(5):

NAME
       apparmor.d - syntax of security profiles for AppArmor.

DESCRIPTION
       AppArmor profiles describe mandatory access rights granted to given
       programs and are fed to the AppArmor policy enforcement module using
       apparmor_parser(8). This man page describes the format of the AppArmor
       configuration files; see apparmor(7) for an overview of AppArmor.

       Some features are not supported on Debian yet:

       Network Rules
       DBus rules
       Unix socket rules

I would gladly review a MR against Vcs-Git that implements this :)

#712451#121
Date:
2020-10-01 23:47:58 UTC
From:
To:
Greetings,

As AppArmor v3.0 is now released[1], is there a chance that network, dbus and
sockets will be supported in Bullseye?

[1] https://lists.ubuntu.com/archives/apparmor/2020-October/012183.html

#712451#126
Date:
2020-10-05 17:42:50 UTC
From:
To:
AppArmor 3 allows use of networkv8 rules (ie, what is in the upstream
kernel) so apparmor 3 in Debian would allow for this to work.

The upstream kernel does not yet support AF_UNIX rules, so anonymous
sockets, abstract sockets and dbus won't be available. Work has picked
up to get this into the upstream kernel (perhaps 5.11).

#712451#131
Date:
2021-01-07 12:22:42 UTC
From:
To:
A special case worth mentioning in this case might be that while
normal profiles get re-loaded after being installed - this is not
required (nor working) for abstraction files.

#712451#136
Date:
2021-01-07 17:41:47 UTC
From:
To:
Hello,

Am Donnerstag, 7. Januar 2021, 13:22:42 CET schrieb Christian Ehrhardt:

I'm not sure if this comment was really meant for this bug, but I'll
answer nevertheless ;-)  (If it was on the wrong bug, feel free to also
forward the comment below to the right one.)

You are right that you can't reload an abstraction.

However, you could reload all profiles ;-)  and maybe you should
consider to do this if an abstraction changes. (In theory it could have
side effects if there are modified, but intentionally-not-yet-reloaded
profiles. In practise, I'd prefer these side effects over having
profiles with outdated abstractions loaded.)


Regards,

Christian Boltz

PS: In case you wonder - the openSUSE package apparmor-abstractions
    reloads all profiles in its postinstall script.

#712451#141
Date:
2021-11-29 20:10:30 UTC
From:
To:
 Greetings From KNOC,

Hope my mail finds you in good health.

We the Korea National Oil corporation (KNOC) invite you to partner with us
and benefit in our 2021 Loan funding program.

(KNOC) is a Giant in maintains extensive technology, oil exploration,
development, production and financing investment project, KNOC investment
funding activity specializes in real estate and hospitality, industrial and
sustainable technologies, strategic financial investments, Starting up
Business Expansion, Commercial Real Estate purchase, Contract Execution,
Healthcare services, Agriculture, manufacturing, mining and Energy
projects.

KNOC offers 1.5% commission to brokers, who wish to work with us by
presenting viable project owners for project finance or other
opportunities.

Korea National Oil Corporation (KNOC) is acting as a lender and the fund
will be disbursed on a clear interest rate of 3.5% annually to our partners
and Entrepreneurs for their investment projects.

Contact us on the below emails for further discussion.

Thank you looking forward hearing from you soonest

Best Regards,
Lee Seungho
Loan Processor
On behalf of Mr. Su Yang Young

#712451#146
Date:
2023-08-03 09:02:02 UTC
From:
To:
Hi,

Lambda Team (2023-04-18):

Right, as documented in the apparmor.d(5) manpage on Debian:

  Some features are not supported on Debian yet:

       Network Rules
       DBus rules
       Unix socket rules

This is tracked on https://bugs.debian.org/712451, which is probably
outdated, since I believe things have improved since the last update
there. As you mentioned, on Bookworm, with AppArmor 3.0 userspace, we
should have at least some support for network mediation (as in, given
a policy without any network rule, network operations will be denied).

If someone tested on Bookworm or newer, and reported back how they
tested this (ideally in a way that others can review & reproduce),
then we could:

 - update the doc accordingly
 - fix (or at least track) any remaining problem

Cheers,