[SRU] race condition bringing up interfaces with AppArmor

Bug #689892 reported by Kees Cook on 2010-12-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ifupdown (Ubuntu)
Undecided
Kees Cook
Lucid
Undecided
Jamie Strandboge
Maverick
Undecided
Jamie Strandboge
Natty
Undecided
Kees Cook

Bug Description

Binary package hint: ifupdown

Due to a missing upstart feature (bug 568860), /etc/init/network-interface-security.conf's use of "start on (starting ... or starting ...)" does not block each of the list jobs. It is possible, for example for this to happen:

network-manger starting
network-interface-security starting
networking starting
networking runs and finishes, bringing up eth0, running dhclient3
network-interface-security runs and brings up dhclient3 profile
...

i.e. since network-manager caused network-interface-security to start, network-interface-security isn't involved and doesn't have to wait for it. To reduce the race, we can add "instance $JOB" to n-i-s, and add a stamp file to avoid it running multiple times (though it doesn't hurt to run multiple times, profile loading (and cache generation) is atomic).

Kees Cook (kees) wrote :

You can trigger this race by adding "sleep 60" to the start of /etc/init.d/apparmor and adding "sleep 20" to the pre-start script in /etc/init/network-interface-security.conf. The result after boot will be seeing dhclient3 running but not enforced in "sudo aa-status".

Changed in ifupdown (Ubuntu Lucid):
status: New → Confirmed
Changed in ifupdown (Ubuntu Maverick):
status: New → Confirmed
Changed in ifupdown (Ubuntu Natty):
status: New → Confirmed
Kees Cook (kees) wrote :
tags: added: patch
Kees Cook (kees) on 2010-12-13
Changed in ifupdown (Ubuntu Natty):
assignee: nobody → Kees Cook (kees)
summary: - race condition bringing up interfaces with AppArmor
+ [SRU] race condition bringing up interfaces with AppArmor
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ifupdown - 0.6.10ubuntu4

---------------
ifupdown (0.6.10ubuntu4) natty; urgency=low

  * debian/ifupdown.network-interface{,-security}.upstart: handle race
    condition when loading AppArmor profiles for interfaces (LP: #689892).
 -- Kees Cook <email address hidden> Mon, 13 Dec 2010 13:53:12 -0800

Changed in ifupdown (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in ifupdown (Ubuntu Lucid):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ifupdown (Ubuntu Maverick):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ifupdown (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in ifupdown (Ubuntu Maverick):
status: Confirmed → Fix Committed
tags: added: apparmor
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ifupdown - 0.6.10ubuntu3.1

---------------
ifupdown (0.6.10ubuntu3.1) maverick-security; urgency=low

  * debian/ifupdown.network-interface{,-security}.upstart: handle race
    condition when loading AppArmor profiles for interfaces (LP: #689892).
    Patch by Kees Cook.
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 12:40:01 -0600

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ifupdown - 0.6.8ubuntu29.2

---------------
ifupdown (0.6.8ubuntu29.2) lucid-security; urgency=low

  * debian/ifupdown.network-interface{,-security}.upstart: handle race
    condition when loading AppArmor profiles for interfaces (LP: #689892).
    Patch by Kees Cook.
 -- Jamie Strandboge <email address hidden> Tue, 04 Jan 2011 12:48:52 -0600

Changed in ifupdown (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in ifupdown (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers