Ubuntu
dnsmasq package

dnsmasq runs unconfined due to starting before apparmor on boot

Bug #1466103 reported by Craig on 2015-06-17

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

dnsmasq (Ubuntu)

Triaged

Critical

Unassigned

You need to log in to change this bug's status.

Affecting:	dnsmasq (Ubuntu)
Filed here by:	Craig
When:	2015-06-17
Confirmed:	2015-06-18

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Critical

Assigned to

	Nobody
	Me

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

Description and behavior are identical to Bug #573315. However, the solution to that bug was to make a change to /etc/apparmor.d/usr.sbin.libvirtd. There is no longer an apparmor profile /etc/apparmor.d/usr.sbin.libvirtd.

Tags: Edit Tag help

Craig (craig-st) on 2015-06-17

affects:

libvirt (Ubuntu) → dnsmasq (Ubuntu)

Craig (craig-st) wrote on 2015-06-17:

Additional info: Only happens intermittently.

Serge Hallyn (serge-hallyn) on 2015-06-18

Changed in dnsmasq (Ubuntu):
importance:	Undecided → Critical

Serge Hallyn (serge-hallyn) wrote on 2015-06-18:

Did you install a profile yourself for dnsmasq? Could you show the result of

sudo aa-status

? By default dnsmasq ships without a profile, but since you say "it happens intermittently" I assume you do have a custom profile...

Please also show the result of:

lsb_release -r
ls -l /sbin/init

Changed in dnsmasq (Ubuntu):
status:	New → Incomplete

Craig (craig-st) wrote on 2015-06-18:

Output from aa-status Edit (3.0 KiB, text/plain)

The dnsmasq apparmor profile comes from package apparmor-profiles. My installed version is apparmor-profiles 2.8.95~2430-0ubuntu5.1. It recently updated (June 16). I have only rebooted my machine three times since, and saw the "unconfined" only once. I will continue to watch to see if it occurs again.

$> lsb_release -r
Release: 14.04

$> ls -l /sbin/init
-rwxr-xr-x 1 root root 265848 Jul 18 2014 /sbin/init

aa-status is uploaded as attachment

Serge Hallyn (serge-hallyn) on 2015-06-18

Changed in dnsmasq (Ubuntu):
status:	Incomplete → Triaged

Serge Hallyn (serge-hallyn) wrote on 2015-06-18:

Thanks. Can you show a list of the running dnsmasqs? Which dnsmasq starts unconfined? Is it the one started by network-manager, or by a custom script, or something else?

I think adding "stopped apparmor" to the 'start on' conditions of the job which starts dnsmasq should suffice to fix the problem for you.

Seth Arnold (seth-arnold) wrote on 2015-06-18:

I don't think "stopped apparmor" is going to do it -- the generic apparmor profiles are loaded via a sysv-init compatibility script.

I think the job file that starts this dnsmasq instance needs to use "apparmor load" before starting the process:

http://upstart.ubuntu.com/cookbook/#apparmor-load

I hope this helps

Craig (craig-st) wrote on 2015-06-18:

My currently running dnsmasq (which is confined the way it should be) was started by NetworkManager:

$> ps axjf
PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND
1 1873 1873 1873 ? -1 Ssl 0 0:00 NetworkManager
1873 2047 2047 1873 ? -1 S 65534 0:00 \_ /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.1.1 --conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d