AppArmor does not restrict UNIX sockets in regular kernels

First written 2022-12-14; Last updated 2022-12-14

back

AppArmor does not restrict access to UNIX sockets in regular Linux kernels. As UNIX sockets are used by specifying a path one would assume that AppArmor restricts access to them. However, only the kernel in Ubuntu and derivatives (but not Debian and derivatives!) provides proper access control for UNIX sockets. Two kind of restrictions are necessary: to create/use UNIX sockets and to limit access to certain paths (path arbitration, which is how AppArmor works for regular files).

UNIX sockets are used by many services for local communication, including D-Bus. Restrictions which are configured via AppArmor have no effect on these kernels! AppArmor does not warn about this fact.

Last verified on Debian GNU/Linux Bullseye (default 5.10 kernel and backports 6.0 kernel), Arch (6.0 kernel) and Ubuntu 22.04 (5.15 kernel) using AppArmor command line utilities version 2 and 3.

To verify if UNIX sockets are restricted by AppArmor use the following basic profile and save it to /etc/apparmor.d/usr.bin.nc.openbsd (on Debian and derivatives, Arch uses usr.bin.nc; adapt paths on other systems):

profile /usr/bin/nc.openbsd {
    /usr/lib/** mr,
}

AppArmor version 3 is more restrictive and restricts creation/usage of UNIX sockets (but these are enabled per default via <abstractions/base> for regular profiles); use the following profile there:

abi <abi/3.0>,
profile /usr/bin/nc.openbsd {
    /usr/lib/** mr,
    unix (create),
}

Enable the profile with:

aa-enforce usr.bin.nc.openbsd

Then use nc (from the package netcat-openbsd on Debian and derivatives, openbsd-netcat on Arch) to verify if connections to the system D-Bus socket are still possible:

nc -U /run/dbus/system_bus_socket

If a permission denied error is printed then AppArmor restricts access to UNIX sockets. Otherwise, AppArmor does not!

To verify that AppArmor is actually enforcing the profile run the following command while nc is running:

aa-status

It should show something like:

7 profiles are in enforce mode.
   [...]
   /usr/bin/nc.openbsd
   [...]
1 processes are in enforce mode.
   /usr/bin/nc.openbsd (1182)

Additionally, after running the nc command dmesg should contain the following audit log because the profile doesn’t permit access to /etc/ld.so.cache:

audit: type=1400 audit(1671001273.813:13): apparmor="DENIED" operation="open" profile="/usr/bin/nc.openbsd" name="/etc/ld.so.cache" pid=1822 comm="nc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Only Ubuntu’s kernel restricts access to the socket path and thus also contains the following log entry:

audit: type=1400 audit(1671003430.819:62): apparmor="DENIED" operation="connect" profile="/usr/bin/nc.openbsd" name="/run/dbus/system_bus_socket" pid=3857972 comm="nc" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

On Ubuntu access can be permitted by adding the following line to the profile:

/run/dbus/system_bus_socket rw,

Last updated 2022-12-14

Impressum Datenschutzerklärung