Ubuntu
dnsmasq package

dnsmasq runs unconfined due to starting before apparmor on boot

Bug #1466103 reported by Craig
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
dnsmasq (Ubuntu)
Fix Released
Critical
audrey reed

Bug Description

Description and behavior are identical to Bug #573315. However, the solution to that bug was to make a change to /etc/apparmor.d/usr.sbin.libvirtd. There is no longer an apparmor profile /etc/apparmor.d/usr.sbin.libvirtd.

Tags: apparmor
Craig (craig-st)
affects: libvirt (Ubuntu) → dnsmasq (Ubuntu)
Revision history for this message
Craig (craig-st) wrote :

Additional info: Only happens intermittently.

Serge Hallyn (serge-hallyn)
Changed in dnsmasq (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Did you install a profile yourself for dnsmasq? Could you show the result of

  sudo aa-status

? By default dnsmasq ships without a profile, but since you say "it happens intermittently" I assume you do have a custom profile...

Please also show the result of:

lsb_release -r
ls -l /sbin/init

Changed in dnsmasq (Ubuntu):
status: New → Incomplete
Revision history for this message
Craig (craig-st) wrote :

The dnsmasq apparmor profile comes from package apparmor-profiles. My installed version is apparmor-profiles 2.8.95~2430-0ubuntu5.1. It recently updated (June 16). I have only rebooted my machine three times since, and saw the "unconfined" only once. I will continue to watch to see if it occurs again.

$> lsb_release -r
Release: 14.04

$> ls -l /sbin/init
-rwxr-xr-x 1 root root 265848 Jul 18 2014 /sbin/init

aa-status is uploaded as attachment

Serge Hallyn (serge-hallyn)
Changed in dnsmasq (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks. Can you show a list of the running dnsmasqs? Which dnsmasq starts unconfined? Is it the one started by network-manager, or by a custom script, or something else?

I think adding "stopped apparmor" to the 'start on' conditions of the job which starts dnsmasq should suffice to fix the problem for you.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I don't think "stopped apparmor" is going to do it -- the generic apparmor profiles are loaded via a sysv-init compatibility script.

I think the job file that starts this dnsmasq instance needs to use "apparmor load" before starting the process:

http://upstart.ubuntu.com/cookbook/#apparmor-load

I hope this helps

Revision history for this message
Craig (craig-st) wrote :

My currently running dnsmasq (which is confined the way it should be) was started by NetworkManager:

$> ps axjf
 PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND
    1 1873 1873 1873 ? -1 Ssl 0 0:00 NetworkManager
 1873 2047 2047 1873 ? -1 S 65534 0:00 \_ /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.1.1 --conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d

audrey reed (mrsperkins74)
Changed in dnsmasq (Ubuntu):
assignee: nobody → audrey reed (mrsperkins74)
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.