Ubuntu
apparmor package

DNS resolving doesn't work in complain mode with dnsmasq and apparmor

Bug #1703520 reported by Bjoern O.
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

After i have firefox, chromium-browser and dnsmasq profiled with sudo aa-autodep (complain-mode was used), i can not resolving websites. (Log is at the attachement)

I have copied the profiles of the three programms from the top in /etc/apparmor.d/disable and after a reboot i can resolving websites.
The network manager can connect with my router the whole time.

I'm have Ubuntu 16.04.02 LTS with all updates. (11.07.2017 CEST)

See original description
Revision history for this message
Bjoern O. (mister3x) wrote :
Bjoern O. (mister3x)
description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Did you by chance change anything related to dnsmasq's startup? This looks like dnsmasq is now starting in a private filesystem namespace without access to the dbus sockets. It's possible to adapt the AppArmor profile for this (by adding the attach_disconnected flag to the profile) but the downside is that AppArmor will then attach all paths not in the namespace to / which might allow e.g. a chroot etc/shadow to also allow access to non-chroot /etc/shadow.

Thanks

Revision history for this message
Bjoern O. (mister3x) wrote :

Hello Seth Arnold,

i don't have change anything at dnsmasq.

I have only create a profile and set the profile in complain mode.

Normally in complain mode Apparmor shouldn't block anything. Apparmor should only log. Why should apparmor influence the behaviour of dnsmasq in complain mode?

Revision history for this message
Bjoern O. (mister3x) wrote :

P.S. In the log file i can see, that Apparmor have allowed the connection. I don't know why dnsmasq doesn't work with Apparmor in complain mode. But apparmor have allowed the connection. Why did this influence dnsmasq?

Revision history for this message
John Johansen (jjohansen) wrote :

@Bjoern can you set a couple of apparmor flags and report back what is reported in the logs?

Specifically as root can you do

echo -n "noquiet" > /sys/module/apparmor/parameters/audit
echo 1 > /sys/module/apparmor/parameters/debug
echo 0 > /proc/sys/kernel/printk_ratelimit

and then restart dnsmasq

Revision history for this message
Christian Boltz (cboltz) wrote :

For the records:

revno: 3437
fixes bug: https://launchpad.net/bugs/1569316
committer: Tyler Hicks <email address hidden>
branch nick: apparmor
timestamp: Tue 2016-04-12 16:36:43 -0500
message:
  profiles: Add attach_disconnected flag to dnsmasq profile

  https://launchpad.net/bugs/1569316

  When Ubuntu made the jump from network-manager 1.0.4 to 1.1.93, the
  dnsmasq process spawned from network-manager started hitting a
  disconnected path denial:

;-)

Note: I don't know if Ubuntu ships this profile from upstream bzr or has its own one. Or maybe 16.04 is just a bit too old for this change.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

The attach_disconnected flag was added to the dnsmasq profile just before 16.04 was released:

  https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Closing this bug based on my last comment.

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.