Bug 1100944 - AppArmor network rule support - patch for backward compability for kernel 4.17+
AppArmor network rule support - patch for backward compability for kernel 4.17+
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Kernel
Current
Other openSUSE 42.2
: P5 - None : Normal (vote)
: ---
Assigned To: Goldwyn Rodrigues
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-11 19:39 UTC by Christian Boltz
Modified: 2022-07-21 17:23 UTC (History)
2 users (show)

See Also:
Found By: Beta-Customer
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Boltz 2018-07-11 19:39:09 UTC
TL;DR:

Please replace the old AppArmor network rule patches with
    apparmor: patch to provide compatibility with v2.x net rules


Detailed version:

As you might know, support for network confinement with AppArmor went to the upstream 4.17 kernel. However, network rule support will only be enabled with AppArmor 3.0 userspace, which wasn't released yet. When using 2.x userspace, network confinement will be _disabled_ and confined applications can do _unlimited network access_. (I probably don't need to mention the security implications.)

John Johansen posted a compatibility patch today, which replaces the old AppArmor network patches the openSUSE kernel carries since years, and is needed to keep network access confined with current AppArmor 2.x userspace.

--------------------------------------------------------------------
Subject: [apparmor] 4.17 net compat patches
Date: Wednesday, 11. Juli 2018, 07:28:40 CEST
From: John Johansen <john.johansen@canonical.com>
To: apparmor <apparmor@lists.ubuntu.com>

The v2.x network compatibility patches are finally up in what I hope is their final form in the kernel.org git
    git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

    branch: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

and the 
    kernel-patch/v4.17/ directory in the apparmor repo on gitlab.
    https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches/v4.17

These patches are provided for distros and users who used the older v2.x networking patches, and will never be upstreamed.

The first patch
    apparmor: patch to provide compatibility with v2.x net rules

can be used on its own if af_unix mediation was never used. The last 2 patches
    apparmor: af_unix mediation
    apparmor: fix use after free in sk_peer_label

are needed for af_unix mediation compatibility
--------------------------------------------------------------------

Since we never had support for af_unix (only Ubuntu had it), we'll only need the first patch to keep the network confinement.
Comment 1 Goldwyn Rodrigues 2018-07-16 18:26:18 UTC
Just pushed the patch. It should get pulled in kernel-source:master soon.

Thanks!
Comment 2 Christian Boltz 2018-08-09 15:26:46 UTC
Any news on this?

The Kernel:stable series.conf looks like the patch was not added, which also means the current kernel in Tumbleweed _does not enforce network rules and allows all network access_.
Comment 3 Goldwyn Rodrigues 2018-08-09 17:58:14 UTC
Try kotd:
http://download.opensuse.org/repositories/Kernel:/HEAD/standard/x86_64/

It will take time for it to percolate from master to tumbleweed official.
Comment 4 Goldwyn Rodrigues 2018-08-31 14:43:02 UTC
Patch present in kernel-default-4.18.5-1.6. Closing.