dnsmasq profile prevents LXD container to launch

Bug #1566944 reported by Franck on 2016-04-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Tyler Hicks

Bug Description

LXD 2.0 has dropped lxcbr0 for lxdbr0 as its default bridge configuration.
Since then, having usr.sbin.dnsmasq profile in enforce mode will prevent LXD containers to launch:

Apr 6 12:55:06 franck-ThinkPad-T430s kernel: [ 7029.101587] audit: type=1400 audit(1459940106.552:107): apparmor="DENIED" operation="mknod" profile="/usr/sbin/dnsmasq" name="/var/lib/lxd-bridge/dnsmasq.lxdbr0.leases" pid=22292 comm="dnsmasq" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Apr 6 12:55:06 franck-ThinkPad-T430s lxd-bridge.start[22255]: dnsmasq: ne peut ouvrir ou créer le fichiers de baux /var/lib/lxd-bridge//dnsmasq.lxdbr0.leases : Permission non accordée

Of course, switching to complain mode works the problem around, but maybe allowing write to /var/lib/lxd-bridge/ would be a good idea (disclaimer: I'm not a security expert).

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor-profiles 2.10-3ubuntu2
ProcVersionSignature: Ubuntu 4.4.0-17.33-generic 4.4.6
Uname: Linux 4.4.0-17-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Apr 6 17:34:12 2016
InstallationDate: Installed on 2015-10-04 (185 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151002)
PackageArchitecture: all
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.4.0-17-generic.efi.signed root=/dev/mapper/ubuntu--vg-root ro noprompt persistent kaslr threadirqs quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apparmor.d.bin.ping: [modified]
modified.conffile..etc.apparmor.d.sbin.klogd: [modified]
modified.conffile..etc.apparmor.d.sbin.syslog.ng: [modified]
modified.conffile..etc.apparmor.d.sbin.syslogd: [modified]
modified.conffile..etc.apparmor.d.usr.bin.chromium.browser: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.avahi.daemon: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.dnsmasq: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.dovecot: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.identd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.mdnsd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.nmbd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.nscd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.smbd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.smbldap.useradd: [modified]
mtime.conffile..etc.apparmor.d.bin.ping: 2015-10-05T12:02:58.049761
mtime.conffile..etc.apparmor.d.sbin.klogd: 2015-10-05T12:04:03.854535
mtime.conffile..etc.apparmor.d.sbin.syslog.ng: 2015-10-05T12:03:21.918041
mtime.conffile..etc.apparmor.d.sbin.syslogd: 2015-10-05T12:03:15.705968
mtime.conffile..etc.apparmor.d.usr.bin.chromium.browser: 2015-10-05T12:02:05.273141
mtime.conffile..etc.apparmor.d.usr.sbin.avahi.daemon: 2015-10-05T11:59:18.903198
mtime.conffile..etc.apparmor.d.usr.sbin.dnsmasq: 2016-04-06T17:25:47.252257
mtime.conffile..etc.apparmor.d.usr.sbin.dovecot: 2015-10-05T12:00:55.356323
mtime.conffile..etc.apparmor.d.usr.sbin.identd: 2015-10-05T12:01:02.204403
mtime.conffile..etc.apparmor.d.usr.sbin.mdnsd: 2015-10-05T12:02:37.861523
mtime.conffile..etc.apparmor.d.usr.sbin.nmbd: 2015-10-05T12:00:10.119794
mtime.conffile..etc.apparmor.d.usr.sbin.nscd: 2015-10-05T12:00:17.355879
mtime.conffile..etc.apparmor.d.usr.sbin.smbd: 2015-10-05T12:00:26.103981
mtime.conffile..etc.apparmor.d.usr.sbin.smbldap.useradd: 2015-10-05T12:00:35.504091

Franck (alci) wrote :
Franck (alci) wrote :

In the initial bug report against LXD, S. Graber suggests that maybe "The apparmor dnsmasq profile should only apply to the system wide daemon (/etc/init.d/dnsmasq) and not to other daemons".

Not sure what to think about it...

Franck (alci) wrote :
Christian Boltz (cboltz) on 2016-04-06
summary: - dnsmasq profile prevents LDX container to launch
+ dnsmasq profile prevents LXD container to launch
Christian Boltz (cboltz) wrote :

Fix commited to upstream bzr trunk r3435 (Simon, thanks for submitting it!)

Changed in apparmor:
status: New → Fix Committed
milestone: none → 2.11
Tyler Hicks (tyhicks) on 2016-04-12
Changed in apparmor (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Tyler Hicks (tyhicks)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.10.95-0ubuntu2

apparmor (2.10.95-0ubuntu2) xenial; urgency=medium

  * debian/patches/r3435-allow-dnsmasq-access-to-lxd-bridge.patch: Grant
    access to the new default bridge configuration in LXD 2.0.0 (LP: #1566944)
  * debian/patches/r3437-add-attach-disconnected-to-dnsmasq.patch: Add the
    attach_disconnected flag to the dnsmasq profile in order to prevent a
    disconnected path denial triggered by the latest network-manager upload
    (LP: #1569316)
  * debian/lib/apparmor/functions: Reference the new path used for snapd
    AppArmor profiles to fix a bug which left those profiles unloaded after
    booting (LP: #1569573)

 -- Tyler Hicks <email address hidden> Tue, 12 Apr 2016 16:59:46 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Christian Boltz (cboltz) on 2017-01-10
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers