Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppArmor: Explicitly allow netlink raw socket for Supervisor #370

Merged
merged 1 commit into from
Apr 10, 2024
Merged

AppArmor: Explicitly allow netlink raw socket for Supervisor #370

merged 1 commit into from
Apr 10, 2024

Conversation

agners
Copy link
Member

@agners agners commented Apr 9, 2024

The Supervisor uses netlink raw sockets to get access to udev events sent through netlink. Technically, the rules so far have denied all raw sockets. However, in practice it seems that netlink raw sockets have still been working.

For unknown reasons, in Debian Bookworm that behavior changed: The rule now also denies netlink raw sockets.

This new ruleset starts off with the default setting (where almost everything seems to be denied), and enables explicitly what is needed in Supervisor. In tests this ruleset worked on Home Assistant OS as well as Debian Bookworm.

Fixes: home-assistant/supervisor#4381

@agners
AppArmor: Explicitly allow netlink raw socket for Supervisor
b885700 
The Supervisor uses netlink raw sockets to get access to udev events
sent through netlink. Technically, the rules so far have denied all raw
sockets. However, in practice it seems that netlink raw sockets have
still been working.

For unknown reasons, in Debian Bookworm that behavior changed: The rule
now also denies netlink raw sockets.

This new ruleset starts off with the default setting (where almost
everything seems to be denied), and enables explicitly what is needed
in Supervisor. In tests this ruleset worked on Home Assistant OS as well
as Debian Bookworm.

Fixes: home-assistant/supervisor#4381
@pvizeli pvizeli merged commit e6ff010 into master Apr 10, 2024
4 checks passed
@pvizeli pvizeli deleted the fix-network-in-apparmor-profile branch April 10, 2024 06:57
@okin okin mentioned this pull request Apr 17, 2024
Closed
3 tasks
agners added a commit that referenced this pull request Apr 18, 2024
@agners
AppArmor: Explicitly allow netlink raw socket for Supervisor on stable
23291f4 
Apply #370 to stable as well.
@agners agners mentioned this pull request Apr 18, 2024
Merged
agners added a commit that referenced this pull request Apr 30, 2024
@agners
AppArmor: Explicitly allow netlink raw socket for Supervisor on stable (
fa255b8 
#372)

Apply #370 to stable as well.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdegat01 mdegat01 mdegat01 approved these changes

@pvizeli pvizeli pvizeli approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@agners @mdegat01 @pvizeli