Ubuntu
ifupdown package

[SRU] race condition bringing up interfaces with AppArmor

Bug #689892 reported by Kees Cook
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ifupdown (Ubuntu)
Fix Released
Undecided
Kees Cook
Lucid
Fix Released
Undecided
Jamie Strandboge
Maverick
Fix Released
Undecided
Jamie Strandboge
Natty
Fix Released
Undecided
Kees Cook

Bug Description

Binary package hint: ifupdown

Due to a missing upstart feature (bug 568860), /etc/init/network-interface-security.conf's use of "start on (starting ... or starting ...)" does not block each of the list jobs. It is possible, for example for this to happen:

network-manger starting
network-interface-security starting
networking starting
networking runs and finishes, bringing up eth0, running dhclient3
network-interface-security runs and brings up dhclient3 profile
...

i.e. since network-manager caused network-interface-security to start, network-interface-security isn't involved and doesn't have to wait for it. To reduce the race, we can add "instance $JOB" to n-i-s, and add a stamp file to avoid it running multiple times (though it doesn't hurt to run multiple times, profile loading (and cache generation) is atomic).

Tags: patch apparmor
Revision history for this message
Kees Cook (kees) wrote :

You can trigger this race by adding "sleep 60" to the start of /etc/init.d/apparmor and adding "sleep 20" to the pre-start script in /etc/init/network-interface-security.conf. The result after boot will be seeing dhclient3 running but not enforced in "sudo aa-status".

Changed in ifupdown (Ubuntu Lucid):
status: New → Confirmed
Changed in ifupdown (Ubuntu Maverick):
status: New → Confirmed
Changed in ifupdown (Ubuntu Natty):
status: New → Confirmed
Revision history for this message
Kees Cook (kees) wrote :
tags: added: patch
Kees Cook (kees)
Changed in ifupdown (Ubuntu Natty):
assignee: nobody → Kees Cook (kees)
summary: - race condition bringing up interfaces with AppArmor
+ [SRU] race condition bringing up interfaces with AppArmor
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ifupdown - 0.6.10ubuntu4

---------------
ifupdown (0.6.10ubuntu4) natty; urgency=low

  * debian/ifupdown.network-interface{,-security}.upstart: handle race
    condition when loading AppArmor profiles for interfaces (LP: #689892).
 -- Kees Cook <email address hidden> Mon, 13 Dec 2010 13:53:12 -0800

Changed in ifupdown (Ubuntu Natty):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand)
Changed in ifupdown (Ubuntu Lucid):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ifupdown (Ubuntu Maverick):
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in ifupdown (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in ifupdown (Ubuntu Maverick):
status: Confirmed → Fix Committed
Jamie Strandboge (jdstrand)
tags: added: apparmor
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ifupdown - 0.6.10ubuntu3.1

---------------
ifupdown (0.6.10ubuntu3.1) maverick-security; urgency=low

  * debian/ifupdown.network-interface{,-security}.upstart: handle race
    condition when loading AppArmor profiles for interfaces (LP: #689892).
    Patch by Kees Cook.
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 12:40:01 -0600

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ifupdown - 0.6.8ubuntu29.2

---------------
ifupdown (0.6.8ubuntu29.2) lucid-security; urgency=low

  * debian/ifupdown.network-interface{,-security}.upstart: handle race
    condition when loading AppArmor profiles for interfaces (LP: #689892).
    Patch by Kees Cook.
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 12:48:52 -0600

Changed in ifupdown (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in ifupdown (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.