[apparmor] allow reading squid binary
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squid (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned | ||
squid3 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* Squid ships with a (default disable) apparmor profile
* In the current configuration this is blocking squid from working
correctly (profile was created for an older version)
* But the access that breaks it is not security critical and can be
allowed, so the fix is adapting the profile to do so.
[Test Case]
* See the nice "steps to reproduce" just below added by the reporter
when filing the bug initially
[Regression Potential]
* Opening up an apparmor rule ever so slightly, I can't see a
reasonable regression potential doing so.
[Other Info]
* n/a
---
Problem description:
Running squid in a container with a host using Bionic's kernel fails if squid's apparmor profile is enabled. The denial messages is:
Sep 15 13:28:34 simon-laptop kernel: audit: type=1400 audit(153703251
Steps to reproduce:
Create a container named foo:
$ lxc launch ubuntu-daily:cosmic foo
Install squid:
$ lxc exec foo -- apt-get install -y squid
Confirm it's running fine:
$ lxc exec foo -- ps aux| grep squid
root 1012 0.0 0.0 68120 2320 ? Ss 17:46 0:00 /usr/sbin/squid -YC -f /etc/squid/
proxy 1015 0.0 0.0 108236 22068 ? S 17:46 0:00 (squid-1) -YC -f /etc/squid/
proxy 1022 0.0 0.0 5736 1352 ? S 17:46 0:00 (logfile-daemon) /var/log/
Enable Apparmor profile (disabled by default):
$ lxc exec foo -- rm /etc/apparmor.
$ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.
$ lxc exec foo -- service squid restart
Check if squid is still running:
$ lxc exec foo -- ps aux| grep squid
It is not running anymore and looking at the host's journalctl, we see an Apparmor denial message:
$ journalctl -o cat -k | tail -n1
audit: type=1400 audit(153703375
A workaround is to allow read access to the binary.
Workaround:
$ lxc exec foo -- sed -i 's/squid ix,$/squid rix,/' /etc/apparmor.
$ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.
$ lxc exec foo -- service squid restart
Check if squid started fine this time:
$ lxc exec foo -- ps aux| grep squid
root 1283 0.0 0.0 68120 2320 ? Ss 17:53 0:00 /usr/sbin/squid -YC -f /etc/squid/
proxy 1285 0.0 0.0 108240 22140 ? S 17:53 0:00 (squid-1) -YC -f /etc/squid/
proxy 1286 0.0 0.0 5736 1304 ? S 17:53 0:00 (logfile-daemon) /var/log/
Additional information:
$ lxc exec foo -- lsb_release -rd
Description: Ubuntu Cosmic Cuttlefish (development branch)
Release: 18.10
$ lxc exec foo -- apt-cache policy squid
squid:
Installed: 3.5.27-1ubuntu1
Candidate: 3.5.27-1ubuntu1
Version table:
*** 3.5.27-1ubuntu1 500
500 http://
100 /var/lib/
Note: the problem also exists on Bionic so once Cosmic will be fixed, a SRU to Bionic would be nice.
Related branches
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 29 lines (+9/-1)2 files modifieddebian/changelog (+8/-0)
debian/usr.sbin.squid (+1/-1)
- Christian Ehrhardt (community): Approve
-
Diff: 28 lines (+8/-1)2 files modifieddebian/changelog (+7/-0)
debian/usr.sbin.squid (+1/-1)
Since the profile does not exist in Debian there isn't much upstreaming to do for the time being.
We can track migration into cosmic now and then consider an SRU.