2016-07-04 09:19:24 |
knz |
bug |
|
|
added bug |
2016-07-04 09:19:49 |
knz |
summary |
missing apparmor definition for ntpd |
incomplete apparmor definition for ntpd |
|
2016-08-03 06:50:57 |
dino99 |
bug task added |
|
apparmor (Ubuntu) |
|
2016-08-03 06:54:51 |
dino99 |
tags |
|
xenial yakkety |
|
2016-08-03 06:57:06 |
Launchpad Janitor |
apparmor (Ubuntu): status |
New |
Confirmed |
|
2016-08-03 06:57:06 |
Launchpad Janitor |
ntp (Ubuntu): status |
New |
Confirmed |
|
2016-08-10 18:29:08 |
Robie Basak |
ntp (Ubuntu): importance |
Undecided |
High |
|
2016-08-10 18:29:16 |
Robie Basak |
tags |
xenial yakkety |
bitesize xenial yakkety |
|
2016-08-10 18:29:52 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Server Team |
2016-08-10 20:51:04 |
Robie Basak |
ntp (Ubuntu): assignee |
|
Joshua Powers (powersj) |
|
2016-08-30 20:29:22 |
Alberto Salvia Novella |
apparmor (Ubuntu): importance |
Undecided |
High |
|
2016-08-31 05:48:13 |
dino99 |
tags |
bitesize xenial yakkety |
bitesize xenial |
|
2016-09-04 14:39:40 |
sanford rockowitz |
bug |
|
|
added subscriber sanford rockowitz |
2016-09-07 22:08:32 |
Joshua Powers |
ntp (Ubuntu): status |
Confirmed |
Incomplete |
|
2016-09-07 22:08:44 |
Joshua Powers |
apparmor (Ubuntu): status |
Confirmed |
Incomplete |
|
2016-09-07 22:29:08 |
Joshua Powers |
bug |
|
|
added subscriber Joshua Powers |
2016-10-11 21:54:03 |
Tyler Hicks |
summary |
incomplete apparmor definition for ntpd |
AppArmor nameservice abstraction doesn't allow communication with systemd-resolve |
|
2016-10-11 22:00:09 |
Tyler Hicks |
ntp (Ubuntu): status |
Incomplete |
Invalid |
|
2016-10-11 22:00:20 |
Tyler Hicks |
apparmor (Ubuntu): assignee |
|
Tyler Hicks (tyhicks) |
|
2016-10-11 22:00:24 |
Tyler Hicks |
apparmor (Ubuntu): status |
Incomplete |
Triaged |
|
2016-10-11 22:00:58 |
Tyler Hicks |
bug task added |
|
apparmor |
|
2016-10-11 22:01:10 |
Tyler Hicks |
summary |
AppArmor nameservice abstraction doesn't allow communication with systemd-resolve |
AppArmor nameservice abstraction doesn't allow communication with systemd-resolved |
|
2016-10-11 22:01:20 |
Tyler Hicks |
apparmor: status |
New |
In Progress |
|
2016-10-11 22:01:22 |
Tyler Hicks |
apparmor: importance |
Undecided |
High |
|
2016-10-11 22:01:24 |
Tyler Hicks |
apparmor: assignee |
|
Tyler Hicks (tyhicks) |
|
2016-10-12 02:59:54 |
Tyler Hicks |
description |
On this plain install of Xenial apparmor complains about ntpd:
[ 19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 22.426246] audit: type=1400 audit(1467623333.434:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 22.771326] audit: type=1400 audit(1467623333.782:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the problem:
#include <abstractions/dbus-strict> |
[ Impact ]
Processes confined by AppArmor profiles making use of the nameservice AppArmor abstraction are unable to access the systemd-resolved network name resolution service. The nsswitch.conf file shipped in Yakkety puts the nss-resolve plugin to use which talks to systemd-resolved over D-Bus. The D-Bus communication is blocked for the confined processes described above and those processes will fallback to the traditional means of name resolution.
[ Test Case ]
* Use ntpd to test:
$ sudo apt-get install -y ntp
...
$ sudo systemctl stop ntp
# in another terminal, watch for AppArmor denials
$ dmesg -w
# in the original terminal, start ntp
$ sudo systemctl start ntp
# You'll see a number of denials on the system_bus_socket file:
audit: type=1400 audit(1476240762.854:35): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=3867 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=126 ouid=0
* Use tcpdump to test:
# Capture traffic on whichever network interface you're currently using
$ sudo tcpdump -i eth0
# Look in /var/log/syslog for denials on the system_bus_socket file:
audit: type=1400 audit(1476240896.021:40): apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump" name="/run/dbus/system_bus_socket" pid=4106 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
In both situations, ntpd and tcpdump will seemingly work as expected due to the name resolution fallback configured in nsswitch.conf. However, neither confined process will be using systemd-resolved for name resolution.
[ Regression Potential ]
This fix will allow ntp, tcpdump, cupsd, dhclient, and other confined-by-default programs to start using systemd-resolved. There is some potential for regression since those applications have not been previously using systemd-resolved.
[ Original bug description ]
On this plain install of Xenial apparmor complains about ntpd:
[ 19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 22.426246] audit: type=1400 audit(1467623333.434:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 22.771326] audit: type=1400 audit(1467623333.782:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
[ 23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the problem:
#include <abstractions/dbus-strict> |
|
2016-10-13 06:22:23 |
Martin Pitt |
nominated for series |
|
Ubuntu Yakkety |
|
2016-10-13 06:22:23 |
Martin Pitt |
bug task added |
|
ntp (Ubuntu Yakkety) |
|
2016-10-13 06:22:23 |
Martin Pitt |
bug task added |
|
apparmor (Ubuntu Yakkety) |
|
2016-10-13 06:22:54 |
Martin Pitt |
apparmor (Ubuntu Yakkety): status |
Triaged |
Fix Committed |
|
2016-10-13 06:22:57 |
Martin Pitt |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2016-10-13 06:23:00 |
Martin Pitt |
bug |
|
|
added subscriber SRU Verification |
2016-10-13 06:23:07 |
Martin Pitt |
tags |
bitesize xenial |
bitesize verification-needed xenial |
|
2016-10-13 20:26:55 |
Tyler Hicks |
tags |
bitesize verification-needed xenial |
bitesize verification-done xenial |
|
2016-10-13 20:28:40 |
Tyler Hicks |
apparmor: status |
In Progress |
Triaged |
|
2016-10-13 20:28:40 |
Tyler Hicks |
apparmor: assignee |
Tyler Hicks (tyhicks) |
|
|
2016-10-13 20:48:03 |
Christian Boltz |
tags |
bitesize verification-done xenial |
aa-policy bitesize verification-done xenial |
|
2016-10-19 17:57:34 |
Jared Fernandez |
bug |
|
|
added subscriber Jared Fernandez |
2016-10-20 06:12:27 |
Launchpad Janitor |
apparmor (Ubuntu): status |
Fix Committed |
Fix Released |
|
2016-10-20 19:45:47 |
Martin Pitt |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2016-10-20 19:45:46 |
Launchpad Janitor |
apparmor (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
2017-01-31 23:08:35 |
John Johansen |
apparmor: status |
Triaged |
Fix Released |
|
2017-01-31 23:29:32 |
Tyler Hicks |
apparmor: status |
Fix Released |
Triaged |
|
2017-07-23 22:46:03 |
Václav Haisman |
bug |
|
|
added subscriber Václav Haisman |
2017-07-23 22:46:15 |
Václav Haisman |
tags |
aa-policy bitesize verification-done xenial |
aa-policy bitesize verification-done xenial zesty |
|