Ubuntu
apparmor package

apparmor blocks libnss-resolve socket

Bug #2051506 reported by Gunnar
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Usage of `libnss-resolve` socket is blocked by apparmor.

Evidence:
- Install `libnss-resolve`
- Set /etc/nsswitch.conf to have `hosts: files resolve`
- Try resolving anything, it fails

`strace` of affected process reveals:
`connect(5, {sa_family=AF_UNIX, sun_path="/run/systemd/resolve/io.systemd.Resolve"}, 42) = -1 EACCES (Permission denied)`

Run `aa-disable` on affected profile and `strace` it again, it works:
`connect(5, {sa_family=AF_UNIX, sun_path="/run/systemd/resolve/io.systemd.Resolve"}, 42) = 0`

Note that using `aa-complain` DOES NOT work.

p.s. has this ever worked?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Gunnar (gunnargu) wrote :

I forgot to add, the apparmor log contains this as the error f.ex when using `ping`:
`apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="ping" name="run/systemd/resolve/io.systemd.Resolve" pid=2450 comm="ping" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=102`

Revision history for this message
Georgia Garcia (georgiag) wrote :

Hi Gunnar,
could you share which AppArmor version you are running? and which kernel version?

Thanks

Revision history for this message
Gunnar (gunnargu) wrote (last edit ):

I'm using Ubuntu and affected on 22.04

apparmor package version 3.0.4-2ubuntu2.3

Kernel version: 6.5.0-14-generic

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.