2012-10-16 18:40:11 |
Jamie Strandboge |
bug |
|
|
added bug |
2012-10-16 18:40:30 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Quantal |
|
2012-10-16 18:40:30 |
Jamie Strandboge |
bug task added |
|
isc-dhcp (Ubuntu Quantal) |
|
2012-10-16 18:40:30 |
Jamie Strandboge |
nominated for series |
|
Ubuntu R-series |
|
2012-10-16 18:40:30 |
Jamie Strandboge |
bug task added |
|
isc-dhcp (Ubuntu R-series) |
|
2012-10-16 18:44:21 |
Jamie Strandboge |
tags |
apparmor |
apparmor regression-release |
|
2012-10-16 19:03:15 |
Jamie Strandboge |
isc-dhcp (Ubuntu R-series): importance |
Undecided |
High |
|
2012-10-16 19:05:51 |
Jamie Strandboge |
description |
I was doing install audits of 12.10 and noticed this with 'sudo aa-status':
1 processes are unconfined but have a profile defined.
/sbin/dhclient (<pid removed>)
This is a regression over 12.04 and needs to be fixed in an SRU. I don't know what introduced the regression, but it is very likely a race condition. I saw it on 12.10 server but not on 12.10 desktop. It seems to be at least somewhat reproducible (rebooting once showed it is still affected) with an amd64 VM with 1024M of ram with installation defaults (except home directory is encrypted) and the following tasks installed:
Basic Ubuntu server
OpenSSH server
DNS server
LAMP server
Mail server
PostgreSQL database
Print server
Samba file server
Tomcat Java server
Virtual Machine host |
I was doing install audits of 12.10 and noticed this with 'sudo aa-status':
1 processes are unconfined but have a profile defined.
/sbin/dhclient (<pid removed>)
This is a regression over 12.04 and needs to be fixed in an SRU. I don't know what introduced the regression, but it is very likely a race condition. I saw it on 12.10 server but not on 12.10 desktop. It seems to be at least somewhat reproducible (rebooting once showed it is still affected) with an amd64 VM with 1024M of ram with installation defaults (except home directory is encrypted) and the following tasks installed:
Basic Ubuntu server
OpenSSH server
DNS server
LAMP server
Mail server
PostgreSQL database
Print server
Samba file server
Tomcat Java server
Virtual Machine host
Upon investigation this is because /etc/init/network-interface-security.conf is looking for files in /etc/apparmor/init/network-interface-security/*. Unfortunately, the quantal merge dropped this:
diff -Naur ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links
--- ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links 2012-10-16 13:48:13.000000000 -0500
+++ ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links 1969-12-31 18:00:00.000000000 -0600
@@ -1,3 +0,0 @@
-sbin/dhclient sbin/dhclient3
-usr/share/man/man8/dhclient.8.gz usr/share/man/man8/dhclient3.8.gz
-etc/apparmor.d/sbin.dhclient etc/apparmor/init/network-interface-security/sbin.dhclient |
|
2012-10-16 19:06:26 |
Jamie Strandboge |
isc-dhcp (Ubuntu R-series): assignee |
|
Stéphane Graber (stgraber) |
|
2012-10-16 19:06:38 |
Jamie Strandboge |
isc-dhcp (Ubuntu Quantal): assignee |
|
Stéphane Graber (stgraber) |
|
2012-10-16 19:06:43 |
Jamie Strandboge |
isc-dhcp (Ubuntu Quantal): status |
New |
Triaged |
|
2012-10-16 19:06:46 |
Jamie Strandboge |
isc-dhcp (Ubuntu R-series): status |
New |
Triaged |
|
2012-10-16 19:10:09 |
Jamie Strandboge |
summary |
[quantal] dhclient sometimes runs unconfined |
[quantal] isc-dhcp-client dropped network-interface-security symlink and therefore may run unconfined |
|
2012-10-16 19:39:35 |
Stéphane Graber |
isc-dhcp (Ubuntu Quantal): status |
Triaged |
In Progress |
|
2012-10-16 19:39:36 |
Stéphane Graber |
isc-dhcp (Ubuntu R-series): status |
Triaged |
In Progress |
|
2012-10-18 17:32:01 |
Jamie Strandboge |
description |
I was doing install audits of 12.10 and noticed this with 'sudo aa-status':
1 processes are unconfined but have a profile defined.
/sbin/dhclient (<pid removed>)
This is a regression over 12.04 and needs to be fixed in an SRU. I don't know what introduced the regression, but it is very likely a race condition. I saw it on 12.10 server but not on 12.10 desktop. It seems to be at least somewhat reproducible (rebooting once showed it is still affected) with an amd64 VM with 1024M of ram with installation defaults (except home directory is encrypted) and the following tasks installed:
Basic Ubuntu server
OpenSSH server
DNS server
LAMP server
Mail server
PostgreSQL database
Print server
Samba file server
Tomcat Java server
Virtual Machine host
Upon investigation this is because /etc/init/network-interface-security.conf is looking for files in /etc/apparmor/init/network-interface-security/*. Unfortunately, the quantal merge dropped this:
diff -Naur ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links
--- ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links 2012-10-16 13:48:13.000000000 -0500
+++ ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links 1969-12-31 18:00:00.000000000 -0600
@@ -1,3 +0,0 @@
-sbin/dhclient sbin/dhclient3
-usr/share/man/man8/dhclient.8.gz usr/share/man/man8/dhclient3.8.gz
-etc/apparmor.d/sbin.dhclient etc/apparmor/init/network-interface-security/sbin.dhclient |
[IMPACT]
* dhclient is a root run process and successfully exploiting a flaw in dhclient could
have severe consequences for the user's system
[TESTCASE]
* On an Ubuntu server system using dhcp for an interface:
1. sudo aa-status # bug not fixed
...
1 processes are unconfined but have a profile defined.
/sbin/dhclient (<pid>)
2. install the updates
3. reboot
4. sudo aa-status # bug fixed
...
5 processes are in enforce mode.
/sbin/dhclient (<pid>)
...
0 processes are unconfined but have a profile defined.
[Regression Potential]
* Regression potential is low. The AppArmor profile for dhclient has been in use for
years and is still in effect on the default Ubuntu desktop because of when network
manager runs (the profile is loaded before the interface is brought up). Therefore
there should be no surprise denials.
= Initial report =
I was doing install audits of 12.10 and noticed this with 'sudo aa-status':
1 processes are unconfined but have a profile defined.
/sbin/dhclient (<pid removed>)
This is a regression over 12.04 and needs to be fixed in an SRU. I don't know what introduced the regression, but it is very likely a race condition. I saw it on 12.10 server but not on 12.10 desktop. It seems to be at least somewhat reproducible (rebooting once showed it is still affected) with an amd64 VM with 1024M of ram with installation defaults (except home directory is encrypted) and the following tasks installed:
Basic Ubuntu server
OpenSSH server
DNS server
LAMP server
Mail server
PostgreSQL database
Print server
Samba file server
Tomcat Java server
Virtual Machine host
Upon investigation this is because /etc/init/network-interface-security.conf is looking for files in /etc/apparmor/init/network-interface-security/*. Unfortunately, the quantal merge dropped this:
diff -Naur ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links
--- ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links 2012-10-16 13:48:13.000000000 -0500
+++ ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links 1969-12-31 18:00:00.000000000 -0600
@@ -1,3 +0,0 @@
-sbin/dhclient sbin/dhclient3
-usr/share/man/man8/dhclient.8.gz usr/share/man/man8/dhclient3.8.gz
-etc/apparmor.d/sbin.dhclient etc/apparmor/init/network-interface-security/sbin.dhclient |
|
2012-10-20 06:02:54 |
Steve Langasek |
isc-dhcp (Ubuntu Quantal): status |
In Progress |
Fix Committed |
|
2012-10-20 06:02:57 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2012-10-20 06:03:03 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2012-10-20 06:03:11 |
Steve Langasek |
tags |
apparmor regression-release |
apparmor regression-release verification-needed |
|
2012-10-22 13:26:47 |
Jamie Strandboge |
tags |
apparmor regression-release verification-needed |
apparmor regression-release verification-done |
|
2012-10-24 16:44:34 |
Adam Conrad |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2012-10-24 16:45:17 |
Launchpad Janitor |
isc-dhcp (Ubuntu Quantal): status |
Fix Committed |
Fix Released |
|
2012-10-29 04:13:14 |
Launchpad Janitor |
isc-dhcp (Ubuntu Raring): status |
In Progress |
Fix Released |
|