| 2015-02-25 05:49:44 |
Pavel Malyshev |
bug |
|
|
added bug |
| 2015-02-25 05:49:44 |
Pavel Malyshev |
attachment added |
|
/var/log/syslog since boot https://bugs.launchpad.net/bugs/1425398/+attachment/4326921/+files/syslog-since-boot |
|
| 2015-02-25 06:16:55 |
Pavel Malyshev |
summary |
Apparmor uses rsyslogd profile for different processes |
Apparmor uses rsyslogd profile for different processes - utopic HWE |
|
| 2015-02-25 06:20:06 |
Pavel Malyshev |
bug task added |
|
linux-lts-utopic (Ubuntu) |
|
| 2015-03-04 22:27:06 |
John Johansen |
bug task added |
|
linux (Ubuntu) |
|
| 2015-03-04 22:29:13 |
John Johansen |
nominated for series |
|
Ubuntu Trusty |
|
| 2015-03-04 22:29:13 |
John Johansen |
bug task added |
|
apparmor (Ubuntu Trusty) |
|
| 2015-03-04 22:29:13 |
John Johansen |
bug task added |
|
linux (Ubuntu Trusty) |
|
| 2015-03-04 22:29:13 |
John Johansen |
bug task added |
|
linux-lts-utopic (Ubuntu Trusty) |
|
| 2015-03-04 22:29:32 |
John Johansen |
linux-lts-utopic (Ubuntu): status |
New |
Invalid |
|
| 2015-03-04 22:29:41 |
John Johansen |
linux-lts-utopic (Ubuntu Trusty): status |
New |
Invalid |
|
| 2015-03-04 22:29:51 |
John Johansen |
linux (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
| 2015-03-04 22:29:56 |
John Johansen |
linux (Ubuntu Trusty): assignee |
|
John Johansen (jjohansen) |
|
| 2015-03-04 22:30:09 |
Brad Figg |
linux (Ubuntu): status |
New |
Incomplete |
|
| 2015-03-04 22:30:12 |
Brad Figg |
linux (Ubuntu Trusty): status |
New |
Incomplete |
|
| 2015-03-04 22:30:14 |
Brad Figg |
tags |
|
trusty |
|
| 2015-03-04 22:56:48 |
Seth Arnold |
linux (Ubuntu Trusty): status |
Incomplete |
Confirmed |
|
| 2015-03-04 22:56:52 |
Seth Arnold |
linux (Ubuntu): status |
Incomplete |
Confirmed |
|
| 2015-03-17 13:09:15 |
Simon Déziel |
bug |
|
|
added subscriber Simon Déziel |
| 2015-03-17 13:09:17 |
Launchpad Janitor |
apparmor (Ubuntu): status |
New |
Confirmed |
|
| 2015-03-17 13:09:17 |
Launchpad Janitor |
apparmor (Ubuntu Trusty): status |
New |
Confirmed |
|
| 2015-04-07 22:53:27 |
Steve Beattie |
bug task added |
|
rsyslog (Ubuntu) |
|
| 2015-04-07 22:55:06 |
Steve Beattie |
apparmor (Ubuntu): status |
Confirmed |
Invalid |
|
| 2015-04-07 22:55:09 |
Steve Beattie |
apparmor (Ubuntu Trusty): status |
Confirmed |
Invalid |
|
| 2015-04-07 22:55:14 |
Steve Beattie |
rsyslog (Ubuntu): status |
New |
Triaged |
|
| 2015-04-07 22:55:18 |
Steve Beattie |
rsyslog (Ubuntu Trusty): status |
New |
Triaged |
|
| 2015-04-07 22:55:23 |
Steve Beattie |
rsyslog (Ubuntu): status |
Triaged |
Fix Released |
|
| 2015-04-07 22:55:58 |
Steve Beattie |
rsyslog (Ubuntu Trusty): assignee |
|
Steve Beattie (sbeattie) |
|
| 2015-04-25 06:38:05 |
Steve Beattie |
attachment added |
|
rsyslog_7.4.4-1ubuntu2.6.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1425398/+attachment/4383669/+files/rsyslog_7.4.4-1ubuntu2.6.debdiff |
|
| 2015-04-25 08:22:24 |
Ubuntu Foundations Team Bug Bot |
tags |
trusty |
patch trusty |
|
| 2015-04-25 08:22:25 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Joseph Salisbury |
| 2015-04-27 23:52:25 |
John Johansen |
attachment added |
|
foo.diff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1425398/+attachment/4386136/+files/foo.diff |
|
| 2015-04-28 19:35:33 |
Steve Beattie |
apparmor (Ubuntu Trusty): status |
Invalid |
In Progress |
|
| 2015-04-28 19:35:43 |
Steve Beattie |
apparmor (Ubuntu Trusty): importance |
Undecided |
Medium |
|
| 2015-04-28 19:35:46 |
Steve Beattie |
apparmor (Ubuntu Trusty): assignee |
|
Steve Beattie (sbeattie) |
|
| 2015-05-01 20:55:33 |
Thomas Mayer |
bug |
|
|
added subscriber Thomas Mayer |
| 2015-05-05 23:20:14 |
Steve Beattie |
description |
Hi.
I've noticed that apparmor loads /usr/sbin/rsyslogd profile for completely unrelated processes:
Feb 25 08:36:19 emma kernel: [ 134.796218] audit: type=1400 audit(1424842579.429:245): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4002 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:36:23 emma kernel: [ 139.330989] audit: type=1400 audit(1424842583.965:246): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4080 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:35:42 emma kernel: [ 97.912402] audit: type=1400 audit(1424842542.565:241): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=2436 comm="whoopsie" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
Feb 25 08:34:43 emma kernel: [ 38.867998] audit: type=1400 audit(1424842483.546:226): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=3762 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I'm not sure how apparmor decides which profile to use for which task, but is shouldn't load '/usr/sbin/rsyslogd' profile for sshd/ntpd/etc.
I'm running:
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# dpkg -l | grep apparmor
ii apparmor 2.8.95~2430-0ubuntu5.1 amd64 User-space parser utility for AppArmor
ii apparmor-profiles 2.8.95~2430-0ubuntu5.1 all Profiles for AppArmor Security policies
ii apparmor-utils 2.8.95~2430-0ubuntu5.1 amd64 Utilities for controlling AppArmor
ii libapparmor-perl 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Perl bindings
ii libapparmor1:amd64 2.8.95~2430-0ubuntu5.1 amd64 changehat AppArmor library
ii python3-apparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor Python3 utility library
ii python3-libapparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Python3 bindings
# uname -a
Linux emma 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux |
[rsyslog impact]
This bug prevents rsyslog from receiving all events from other services on trusty when the utopic-hwe (and newer) kernels are used. The rsyslog SRU adds an additional permission (read access to /dev/log) to the rsyslog apparmor policy to allow this to work.
[rsyslog test case]
(1) Ensure the rsyslog apparmor policy is set to enforce; it should show up listed in the "XX profiles are in enforce mode." section reported by "sudo aa-status" (if it's disabled, do "sudo aa-enforce rsyslogd").
(2) Install the utopic or newer hwe enablement stack reboot into the kernel. Using the logger(1) utility should generate log messages (e.g. "logger foo") that are recorded in syslog; with this bug, they will be blocked (grep DENIED /var/log/syslog).
[rsyslog regression potential]
The only change to rsyslog in the SRU is a slight loosening of the rsyslog apparmor policy. The risk of an introduced regression is small.
[rsyslog addition info]
The qa-regression-testing script is useful for verifying that rsyslog is still functioning properly (http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/test-rsyslog.py)
[Original description]
I've noticed that apparmor loads /usr/sbin/rsyslogd profile for completely unrelated processes:
Feb 25 08:36:19 emma kernel: [ 134.796218] audit: type=1400 audit(1424842579.429:245): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4002 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:36:23 emma kernel: [ 139.330989] audit: type=1400 audit(1424842583.965:246): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4080 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:35:42 emma kernel: [ 97.912402] audit: type=1400 audit(1424842542.565:241): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=2436 comm="whoopsie" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
Feb 25 08:34:43 emma kernel: [ 38.867998] audit: type=1400 audit(1424842483.546:226): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=3762 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I'm not sure how apparmor decides which profile to use for which task, but is shouldn't load '/usr/sbin/rsyslogd' profile for sshd/ntpd/etc.
I'm running:
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# dpkg -l | grep apparmor
ii apparmor 2.8.95~2430-0ubuntu5.1 amd64 User-space parser utility for AppArmor
ii apparmor-profiles 2.8.95~2430-0ubuntu5.1 all Profiles for AppArmor Security policies
ii apparmor-utils 2.8.95~2430-0ubuntu5.1 amd64 Utilities for controlling AppArmor
ii libapparmor-perl 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Perl bindings
ii libapparmor1:amd64 2.8.95~2430-0ubuntu5.1 amd64 changehat AppArmor library
ii python3-apparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor Python3 utility library
ii python3-libapparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Python3 bindings
# uname -a
Linux emma 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux |
|
| 2015-05-06 11:54:33 |
Marc Deslauriers |
rsyslog (Ubuntu Trusty): status |
Triaged |
In Progress |
|
| 2015-05-06 11:54:40 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2015-05-06 20:54:03 |
Chris J Arges |
rsyslog (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
| 2015-05-06 20:54:10 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
| 2015-05-06 20:54:15 |
Chris J Arges |
tags |
patch trusty |
patch trusty verification-needed |
|
| 2015-05-07 11:26:56 |
Simon Déziel |
tags |
patch trusty verification-needed |
patch trusty verification-done |
|
| 2015-05-14 20:01:05 |
Launchpad Janitor |
rsyslog (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
| 2015-05-14 20:01:11 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2015-05-18 15:22:57 |
Steve Beattie |
attachment added |
|
tests-workaround_for_unix_socket_change-lp1425398.patch https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1425398/+attachment/4399542/+files/tests-workaround_for_unix_socket_change-lp1425398.patch |
|
| 2015-05-18 15:24:27 |
Steve Beattie |
description |
[rsyslog impact]
This bug prevents rsyslog from receiving all events from other services on trusty when the utopic-hwe (and newer) kernels are used. The rsyslog SRU adds an additional permission (read access to /dev/log) to the rsyslog apparmor policy to allow this to work.
[rsyslog test case]
(1) Ensure the rsyslog apparmor policy is set to enforce; it should show up listed in the "XX profiles are in enforce mode." section reported by "sudo aa-status" (if it's disabled, do "sudo aa-enforce rsyslogd").
(2) Install the utopic or newer hwe enablement stack reboot into the kernel. Using the logger(1) utility should generate log messages (e.g. "logger foo") that are recorded in syslog; with this bug, they will be blocked (grep DENIED /var/log/syslog).
[rsyslog regression potential]
The only change to rsyslog in the SRU is a slight loosening of the rsyslog apparmor policy. The risk of an introduced regression is small.
[rsyslog addition info]
The qa-regression-testing script is useful for verifying that rsyslog is still functioning properly (http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/test-rsyslog.py)
[Original description]
I've noticed that apparmor loads /usr/sbin/rsyslogd profile for completely unrelated processes:
Feb 25 08:36:19 emma kernel: [ 134.796218] audit: type=1400 audit(1424842579.429:245): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4002 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:36:23 emma kernel: [ 139.330989] audit: type=1400 audit(1424842583.965:246): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4080 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:35:42 emma kernel: [ 97.912402] audit: type=1400 audit(1424842542.565:241): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=2436 comm="whoopsie" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
Feb 25 08:34:43 emma kernel: [ 38.867998] audit: type=1400 audit(1424842483.546:226): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=3762 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I'm not sure how apparmor decides which profile to use for which task, but is shouldn't load '/usr/sbin/rsyslogd' profile for sshd/ntpd/etc.
I'm running:
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# dpkg -l | grep apparmor
ii apparmor 2.8.95~2430-0ubuntu5.1 amd64 User-space parser utility for AppArmor
ii apparmor-profiles 2.8.95~2430-0ubuntu5.1 all Profiles for AppArmor Security policies
ii apparmor-utils 2.8.95~2430-0ubuntu5.1 amd64 Utilities for controlling AppArmor
ii libapparmor-perl 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Perl bindings
ii libapparmor1:amd64 2.8.95~2430-0ubuntu5.1 amd64 changehat AppArmor library
ii python3-apparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor Python3 utility library
ii python3-libapparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Python3 bindings
# uname -a
Linux emma 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux |
[apparmor impact]
This bug generates false positives when using the apparmor regression
tests on the HWE kernels (utopic and newer), which means the kernel team
needs to examine test output to ensure that addiitional failures didn't
occur when testing new kernels.
[apparmor test case]
1) install hwe kernel libapparmor-dev libdbus-1-dev attr
2) apt-get source apparmor
3) cd apparmor-2.8.95~2430/tests/regression/apparmor/
4) make USE_SYSTEM=1
5) sudo bash unix_socket_file.sh
If the bug has not been addressed, this test script will fail with the
following messages:
Error: unix_socket_file failed. Test 'socket file (dgram); confined server / access (w)' was expected to 'pass'. Reason for failure 'FAIL CLIENT - connect: Permission denied
FAIL - poll timed out'
Error: unix_socket_file failed. Test 'socket file (dgram); confined client w/ access (rw)' was expected to 'pass'. Reason for failure 'FAIL CLIENT - connect: Permission denied
FAIL - poll timed out'
and a return code of 2 (echo $?). If it has been fixed it should return
silently, with a return code of 0.
[apparmor regression potential]
The patch for this bug only affects the test suite for apparmor, which
is a loosening of the policy used in the specific failing testcases.
There should be no effect on the apparmor implementation proper from
this fix.
[apparmor additional info]
This testsuite is run as part of the test-apparmor.py test script
from lp:qa-regression-testing, and used as part of the kernel update
process, but is useful for ensuring that apparmor is functioning
properly.
[Original description]
I've noticed that apparmor loads /usr/sbin/rsyslogd profile for completely unrelated processes:
Feb 25 08:36:19 emma kernel: [ 134.796218] audit: type=1400 audit(1424842579.429:245): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4002 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:36:23 emma kernel: [ 139.330989] audit: type=1400 audit(1424842583.965:246): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=4080 comm="sudo" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 25 08:35:42 emma kernel: [ 97.912402] audit: type=1400 audit(1424842542.565:241): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=2436 comm="whoopsie" requested_mask="r" denied_mask="r" fsuid=103 ouid=0
Feb 25 08:34:43 emma kernel: [ 38.867998] audit: type=1400 audit(1424842483.546:226): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/rsyslogd" name="/dev/log" pid=3762 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I'm not sure how apparmor decides which profile to use for which task, but is shouldn't load '/usr/sbin/rsyslogd' profile for sshd/ntpd/etc.
I'm running:
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# dpkg -l | grep apparmor
ii apparmor 2.8.95~2430-0ubuntu5.1 amd64 User-space parser utility for AppArmor
ii apparmor-profiles 2.8.95~2430-0ubuntu5.1 all Profiles for AppArmor Security policies
ii apparmor-utils 2.8.95~2430-0ubuntu5.1 amd64 Utilities for controlling AppArmor
ii libapparmor-perl 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Perl bindings
ii libapparmor1:amd64 2.8.95~2430-0ubuntu5.1 amd64 changehat AppArmor library
ii python3-apparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor Python3 utility library
ii python3-libapparmor 2.8.95~2430-0ubuntu5.1 amd64 AppArmor library Python3 bindings
# uname -a
Linux emma 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux |
|
| 2015-05-18 15:24:33 |
Steve Beattie |
apparmor (Ubuntu): status |
Invalid |
Fix Released |
|
| 2015-05-24 17:34:18 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/apparmor |
|
| 2015-05-26 05:05:28 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/rsyslog |
|
| 2015-06-15 16:44:24 |
Launchpad Janitor |
apparmor (Ubuntu Trusty): status |
In Progress |
Fix Released |
|
