dnsmasq profile incomplete for lxc usage

Bug #1403468 reported by James Westby on 2014-12-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Nominated for Trusty by Steve Beattie

Bug Description


This bug prevents the proper functioning of dnsmasq under lxc

[steps to reproduce]

1) install lxc
2) start container, do dns lookups within it
3) with the fix applied, dnsmasq in the host os should not generate
apparmor rejections in syslog

[regression potential]

The change in the patch for this bug is a slight loosening of the
apparmor policy for dnsmasq. The risk of an introduced regression
is small.

[original description]


I am using the dnsmasq profile with lxc, and I am getting DENIED messages like:

Dec 16 22:26:58 superstar kernel: [226445.568383] type=1400 audit(1418768818.310:865): apparmor="DENIED" operation="truncate" profile="/usr/sbin/dnsmasq" name="/var/lib/misc/dnsmasq.lxcbr0.leases" pid=1472 comm="dnsmasq" requested_mask="w" denied_mask="w" fsuid=118 ouid=0

Adding rw for that path obviously makes it go away, and seems like a reasonable change.



ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apparmor-profiles 2.8.95~2430-0ubuntu5.1
ProcVersionSignature: Ubuntu 3.13.0-43.72-generic
Uname: Linux 3.13.0-43-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Dec 17 11:27:18 2014
PackageArchitecture: all
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.13.0-43-generic root=/dev/mapper/hostname--vg-root ro quiet splash vt.handoff=7
SourcePackage: apparmor

UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apparmor.d.usr.sbin.avahi.daemon: [modified]
mtime.conffile..etc.apparmor.d.usr.sbin.avahi.daemon: 2014-12-16T20:38:31.370339
mtime.conffile..etc.apparmor.d.usr.sbin.dnsmasq: 2014-12-17T11:21:47.159017

James Westby (james-w) wrote :
Christian Boltz (cboltz) on 2015-03-29
tags: added: aa-policy
Simon Déziel (sdeziel) wrote :

Once you get past that error, the dnsmasq process spawned by lxc-net will need to write its PID to /run/lxc/dnsmasq.pid so this also needs to be added to the policy.

Steve Beattie (sbeattie) on 2015-03-31
Changed in apparmor:
milestone: none → 2.9.2
Christian Boltz (cboltz) wrote :

Fixed in bzr trunk r2974 and 2.9 branch r2881.

Changed in apparmor:
status: New → Fix Committed
Steve Beattie (sbeattie) on 2015-04-24
Changed in apparmor:
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) wrote :

This will be addressed in wily by apparmor 2.9.2-0ubuntu1. Attached is a patch for trusty.

description: updated
Changed in apparmor (Ubuntu):
status: New → In Progress
description: updated
description: updated

The attachment "dnsmasq-lxc_networking-lp1403468.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Steve Beattie (sbeattie) wrote :

I've reproduced the issue with the dnsmasq profile from apparmor-profiles 2.8.95~2430-0ubuntu5.1 in trusty-updates, and can confirm that the version of the dnsmasq profile in apparmor-profiles 2.8.95~2430-0ubuntu5.2 in trusty-proposed fixes the issue. Marking verification-done.

tags: added: verification-done
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.2

apparmor (2.8.95~2430-0ubuntu5.2) trusty-proposed; urgency=medium

  * debian/patches/php5-Zend_semaphore-lp1401084.patch: allow php5
    abstraction access to Zend opcache files (LP: #1401084)
  * debian/patches/dnsmasq-lxc_networking-lp1403468.patch: update
    profile for lxc support (LP: #1403468)
  * debian/patches/profiles-texlive_font_generation-lp1010909.patch:
    allow generation of texlive fonts by sanitized-helpers
    (LP: #1010909)
  * debian/apport/source_apparmor.py: fix the apparmor apport hook
    so it does not raise an exception if a non-unicode character is
    found in /var/log/kern.log or in /var/log/syslog. This should
    work under python3 or python2.7 (LP: #1304447)
  * debian/patches/profiles-dovecot-updates-lp1296667.patch: update
    dovecot profiles to address several missing permissions.
    (LP: #1296667)
  * debian/patches/profiles-adjust_X_for_lightdm-lp1339727.patch:
    adjust X abstraction for LightDM xauthority location (LP: #1339727)
  * debian/patches/libapparmor-fix_memory_leaks-lp1340927.patch; fix
    memory leaks in log parsing component of libapparmor (LP: #1340927)
  * debian/patches/libapparmor-another_audit_format-lp1399027.patch:
    add support for another log format style (LP: #1399027)
  * debian/patches/tests-workaround_for_unix_socket_change-lp1425398.patch:
    work around apparmor kernel behavioral change in regression tests
    (LP: #1425398)
  * debian/control: add breaks on python3-apparmor against older
    apparmor-utils that used to be where python bits lived
    (LP: #1373259)
  * debian/patches/utils-update_to_2.9.2.patch: update the python
    utilities to the upstream 2.9.2 (LP: #1449769, incorporating a
    large number of fixes and improvements, including:
    - fix aa-genprof traceback with apparmor 2.8.95 (LP: #1294797)
    - fix aa-genprof crashing when selecting scan on Ubuntu 14.04 server
      (LP: #1319829)
    - make aa-logprof read profile instead of program binary
      (LP: #1317176, LP: #1324154)
    - aa-complain: don't traceback when marking multiple profiles
      (LP: #1378095)
    - make python tools able to parse mounts with UTF-8 non-ascii
      characters (LP: #1310598)

 -- Steve Beattie <email address hidden> Thu, 30 Apr 2015 12:18:08 -0700

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers