Activity log for bug #1703821

Date Who What changed Old value New value Message
2017-07-12 11:52:53 Matyáš Koc bug added bug
2017-07-12 11:54:18 Matyáš Koc affects apparmor apparmor (Ubuntu)
2017-07-12 11:54:35 Matyáš Koc bug task added dovecot (Ubuntu)
2017-07-12 18:25:53 Seth Arnold bug task added apparmor
2019-12-17 19:30:47 Jamie Strandboge dovecot (Ubuntu): status New Invalid
2019-12-17 19:32:29 Jamie Strandboge apparmor (Ubuntu): status New Incomplete
2019-12-17 19:32:31 Jamie Strandboge apparmor: status New Incomplete
2020-02-16 04:17:39 Launchpad Janitor apparmor: status Incomplete Expired
2020-02-16 04:17:41 Launchpad Janitor apparmor (Ubuntu): status Incomplete Expired
2020-02-16 13:54:16 Christian Boltz apparmor: status Expired Fix Released
2020-02-17 08:19:22 Christian Ehrhardt  dovecot (Ubuntu): status Invalid Fix Released
2020-02-17 08:19:27 Christian Ehrhardt  nominated for series Ubuntu Bionic
2020-02-17 08:19:27 Christian Ehrhardt  bug task added dovecot (Ubuntu Bionic)
2020-02-17 08:19:27 Christian Ehrhardt  bug task added apparmor (Ubuntu Bionic)
2020-02-17 08:19:33 Christian Ehrhardt  dovecot (Ubuntu Bionic): status New Triaged
2020-02-17 08:19:35 Christian Ehrhardt  dovecot (Ubuntu Bionic): importance Undecided Low
2020-02-17 08:19:48 Christian Ehrhardt  bug added subscriber Ubuntu Server
2022-03-23 16:02:49 Bryce Harrington tags apparmor dovecot apparmor bitesize dovecot
2022-07-28 02:44:35 Bryce Harrington dovecot (Ubuntu Bionic): status Triaged Fix Released
2022-07-29 20:50:26 Georgia Garcia bug added subscriber Georgia Garcia
2022-08-01 17:05:43 Georgia Garcia description My server is running Ubuntu 17.04 and Dovecot 2.2.27 (c0f36b0). Apparmor is still complaining about problems with file_inherit. I have put the profiles in complain-only mode, so I can continue, but still, it's a problem. Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400 audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot" Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400 audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil" My configuration of Dovecot has changed slightly: /etc/dovecot/dovecot-sql.conf.ext driver = mysql connect = host=localhost dbname=mail user=mail password=mailpassword default_pass_scheme = MD5-CRYPT password_query = ... user_query = ... /etc/dovecot/conf.d/10-auth.conf disable_plaintext_auth = yes auth_mechanisms = plain login #!include auth-system.conf.ext !include auth-sql.conf.ext /etc/dovecot/conf.d/10-mail.conf mail_location = maildir:/var/vmail/%d/%n mail_uid = vmail mail_gid = mail first_valid_uid = 150 last_valid_uid = 150 /etc/dovecot/conf.d/10-ssl.conf ssl = required ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key ssl_dh_parameters_length = 4096 ssl_protocols = ... ssl_cipher_list = ... ssl_prefer_server_ciphers = yes /etc/dovecot/conf.d/10-master.conf service auth { unix_listener auth-userdb { mode = 0666 user = vmail group = mail } unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } /etc/dovecot/conf.d/15-lda.conf postmaster_address = ... Apparmor usr.sbin.dovecot profile: #include <tunables/global> /usr/sbin/dovecot flags=(complain,attach_disconnected) { #include <abstractions/authentication> #include <abstractions/base> #include <abstractions/dovecot-common> #include <abstractions/mysql> #include <abstractions/nameservice> #include <abstractions/ssl_certs> #include <abstractions/ssl_keys> capability chown, capability dac_override, capability fsetid, capability kill, capability net_bind_service, capability setuid, capability sys_chroot, capability sys_resource, /etc/dovecot/** r, /etc/mtab r, /etc/lsb-release r, /etc/SuSE-release r, @{PROC}/@{pid}/mounts r, /usr/bin/doveconf rix, /usr/lib/dovecot/anvil Px, /usr/lib/dovecot/auth Px, /usr/lib/dovecot/config Px, /usr/lib/dovecot/dict Px, /usr/lib/dovecot/dovecot-auth Pxmr, /usr/lib/dovecot/imap Pxmr, /usr/lib/dovecot/imap-login Pxmr, /usr/lib/dovecot/lmtp Px, /usr/lib/dovecot/log Px, /usr/lib/dovecot/managesieve Px, /usr/lib/dovecot/managesieve-login Pxmr, /usr/lib/dovecot/pop3 Px, /usr/lib/dovecot/pop3-login Pxmr, /usr/lib/dovecot/ssl-build-param rix, /usr/lib/dovecot/ssl-params Px, /usr/sbin/dovecot mrix, /usr/share/dovecot/protocols.d/ r, /usr/share/dovecot/protocols.d/** r, /var/lib/dovecot/ w, /var/lib/dovecot/* rwkl, /var/spool/postfix/private/auth w, /var/spool/postfix/private/dovecot-lmtp w, /{,var/}run/dovecot/ rw, /{,var/}run/dovecot/** rw, link /{,var/}run/dovecot/** -> /var/lib/dovecot/**, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.dovecot> } Profile usr.lib.dovecot.anvil: #include <tunables/global> /usr/lib/dovecot/anvil flags=(complain) { #include <abstractions/base> #include <abstractions/dovecot-common> capability setuid, capability sys_chroot, /usr/lib/dovecot/anvil mr, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.dovecot.anvil> } [Impact] Users report that while running dovecot there are some issues reported by AppArmor, specifically regarding "file_inherit" operations: Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400 audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot" Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400 audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil" This is likely caused by an anonymous socket communication channel between dovecot and anvil. A fix in the dovecot AppArmor policy was already merged upstream in commit 1ce8cd21, which is being backported in this SRU. There was a change upstream that renamed the dovecot profile, so it was necessary to make a small change on the backport to reference the correct profile name. [Test Plan] The bug can be reproduced by setting up a multi-purpose VM according to the README file on QRT, and then running the QRT dovecot tests. [Where problems could occur] This update broadens the dovecot policy, so it won't to cause any issues regarding a behavior that was previously allowed and it is now denied. In addition, the dovecot policy is already in complain mode in bionic.
2022-08-01 17:09:25 Georgia Garcia attachment added apparmor_2.12-4ubuntu5.2.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1703821/+attachment/5606306/+files/apparmor_2.12-4ubuntu5.2.debdiff
2022-08-02 12:09:52 Georgia Garcia bug added subscriber Ubuntu Stable Release Updates Team
2022-08-02 12:21:44 Georgia Garcia description [Impact] Users report that while running dovecot there are some issues reported by AppArmor, specifically regarding "file_inherit" operations: Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400 audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot" Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400 audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil" This is likely caused by an anonymous socket communication channel between dovecot and anvil. A fix in the dovecot AppArmor policy was already merged upstream in commit 1ce8cd21, which is being backported in this SRU. There was a change upstream that renamed the dovecot profile, so it was necessary to make a small change on the backport to reference the correct profile name. [Test Plan] The bug can be reproduced by setting up a multi-purpose VM according to the README file on QRT, and then running the QRT dovecot tests. [Where problems could occur] This update broadens the dovecot policy, so it won't to cause any issues regarding a behavior that was previously allowed and it is now denied. In addition, the dovecot policy is already in complain mode in bionic. [Impact] Users report that while running dovecot there are some issues reported by AppArmor, specifically regarding "file_inherit" operations: Jul 12 13:31:19 myserver kernel: [ 3905.672577] audit: type=1400 audit(1499859079.016:363): apparmor="ALLOWED" operation="file_inherit" profile="/usr/lib/dovecot/anvil" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/sbin/dovecot" Jul 12 13:31:19 myserver kernel: [ 3905.672578] audit: type=1400 audit(1499859079.016:364): apparmor="ALLOWED" operation="file_inherit" profile="/usr/sbin/dovecot" pid=3766 comm="anvil" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="/usr/lib/dovecot/anvil" This is likely caused by an anonymous socket communication channel between dovecot and anvil. A fix in the dovecot AppArmor policy was already merged upstream in commit 1ce8cd21, which is being backported in this SRU. There was a change upstream that renamed the dovecot profile, so it was necessary to make a small change on the backport to reference the correct profile name. [Test Plan] Clone the qa-regression-testing repo https://git.launchpad.net/qa-regression-testing Setup the machine according to the instructions in the README.multipurpose-vm - specifically the Email section. Run the dovecot tests from the qa-regression-testing repo: python3 ./script test-dovecot.py After running the tests, check dmesg for no DENIED messages: dmesg | grep DENIED [Where problems could occur] This update broadens the dovecot policy, so it won't to cause any issues regarding a behavior that was previously allowed and it is now denied. In addition, the dovecot policy is already in complain mode in bionic.
2022-08-03 16:47:35 Robie Basak apparmor (Ubuntu Bionic): status New Incomplete
2022-08-03 16:49:39 Robie Basak bug added subscriber Robie Basak
2022-08-04 21:28:03 Steve Beattie apparmor (Ubuntu): status Expired Fix Released
2022-08-10 12:06:41 Robie Basak apparmor (Ubuntu Bionic): status Incomplete Won't Fix