In 16.10, LXD won't work with enforced dsnmasq profile

Bug #1634199 reported by Franck on 2016-10-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

After upgrading to 16.0, LXD networking stopped working due to enforced dnsmasq profile.

audit: type=1400 audit(1476709813.572:4291): apparmor="DENIED" operation="truncate" profile="/usr/sbin/dnsmasq" name="/var/lib/lxd/networks/lxdbr0/dnsmasq.leases" pid=13540 comm="dnsmasq" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

Related branches

Christian Boltz (cboltz) wrote :

Sounds like the path changed.

You'll need to add the following rule to /etc/apparmor.d/usr.sbin.dnsmasq (or to the local/ include):
  /var/lib/lxd/networks/lxdbr*/dnsmasq.leases rw,

BTW: Do you know if lxd supports different network interface types that don't match the lxdbr* name pattern? If yes, we'll need to add a more permissive rule.

tags: added: aa-policy
Stéphane Graber (stgraber) wrote :

The interface name is decided by the user in LXD 2.3 or higher, so it can be any valid interface name.

Stéphane Graber (stgraber) wrote :

/var/lib/lxd/networks/*/dnsmasq.leases rw,

should work fine

Christian Boltz (cboltz) wrote :

Thanks for the feedback!

I just submitted the patch for review upstream.

Franck (alci) wrote :

I'm afraid it won't be enough...:

audit: type=1400 audit(1476780672.803:99): apparmor="DENIED" operation="open" profile="/usr/sbin/dnsmasq" name="/var/lib/lxd/networks/lxdbr0/dnsmasq.hosts" pid=5165 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Christian Boltz (cboltz) wrote :

dnsmasq.leases added in trunk r3573 (before noticing comment #5 ;-)

comment #5 means you'll need to add
    /var/lib/lxd/networks/*/dnsmasq.hosts r,

After adding this (and reloading the profile), do you see more DENIED messages?

Franck (alci) wrote :

Another message:

audit: type=1400 audit(1476791887.152:118): apparmor="DENIED" operation="mknod" profile="/usr/sbin/dnsmasq" name="/var/lib/lxd/networks/lxdbr0/" pid=5480 comm="dnsmasq" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Christian Boltz (cboltz) wrote :

"c" means to create a file, so you'll need write permissions. Judging on other rules in the profile, you'll also need read permissions. To sum it up:
  /var/lib/lxd/networks/*/ rw,

Anything else after adding this?

Stéphane Graber (stgraber) wrote :

Yes, so basically we have:
 - (create + read/write by dnsmasq)
 - dnsmasq.raw (read by dnsmasq)
 - dnsmasq.hosts (read by dnsmasq)
 - dnsmasq.leases (create + read/write by dnsmasq)

I'd be tempted to just go with:

/var/lib/lxd/networks/*/ rw,
/var/lib/lxd/networks/*/dnsmasq.leases rw,
/var/lib/lxd/networks/*/dnsmasq.* r,

That should make things a bit more future proof should we add any more dnsmasq related files in there.

Christian Boltz (cboltz) wrote :

dnsmasq.* indeed sounds like a good idea, and shouldn't cause any harm.

I've sent another patch to the mailinglist for review.

Christian Boltz (cboltz) wrote :

Patch commited to bzr trunk r3574. AppArmor 2.11 will include it.

Changed in apparmor:
status: New → Fix Committed
milestone: none → 2.11
Christian Boltz (cboltz) on 2017-01-10
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers