apparmor denied operation file_inherit from networkmanager when using HWE kernel

Bug #1417658 reported by stargazer
52
This bug affects 10 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
High
Unassigned
Vivid
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
AppArmor denials appear in dhclient when using using HWE kernel on 14.04. This can result in incorrect dhcp operation on client systems. The fix is to add these rules:
  network inet dgram,
  network inet6 dgram,

to the dhclient profile for nm-dhcp-client.action and dhclient-script, like we did in 4.2.4-7ubuntu14.

[Test Case]
Install HWE kernel and use network manager to obtain an IP address.

[Regression Potential]
Extremely low since the update only adds access that dhclient didn't have.

Original description:

Hallo,

on Kubuntu 14.04.x dmesg shows me the following apparmor messages;

Is this normal or is this a security issue together with network-manager?

[ 16.171766] audit: type=1400 audit(1422595680.679:68): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2229 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
[ 16.171772] audit: type=1400 audit(1422595680.679:69): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2229 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17
[ 16.199936] audit: type=1400 audit(1422595680.707:70): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2246 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
[ 16.199943] audit: type=1400 audit(1422595680.707:71): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2246 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17
[ 16.201369] audit: type=1400 audit(1422595680.707:72): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2248 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
[ 16.201379] audit: type=1400 audit(1422595680.707:73): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2248 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17
[ 17.206342] audit: type=1400 audit(1422595681.711:74): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2468 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
[ 17.206349] audit: type=1400 audit(1422595681.711:75): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2468 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17

When I logon to KDE, KDE hangs sometimes for 3sec at the login-process , when there is no internet connection (DSL modem did not dial-in yet).

Thanks for your help!
Best regards, Bernhard

stargazer (stargazer05)
tags: added: 14.04 apparmor manager network trusty
tags: added: networkmanager
removed: manager network
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Øyvind Stegard (oyvindstegard) wrote :

Seeing the same messages, and according to logs it started when kernel was upgraded from 3.13 to 3.16 as part of LTS hardware enablement.

[ 4109.863163] audit: type=1400 audit(1424684677.351:95): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=9233 comm="nm-dhcp-client." lport=63747 family="inet" sock_type="dgram" protocol=17

I have not observed any ill effects on network connectivity, though.

Revision history for this message
Chris Davies (ohl9hoj1aepaingeu2) wrote :

Seeing the same issue on Linux desktopthink 3.16.0-31-generic #41~14.04.1-Ubuntu.
I've noticed after a 'random' change of activity (eg opening a whole bunch of windows, using a different port, i'm unable to use the network without a system restart.

Revision history for this message
alp (atoker) wrote :

This issue causes incomplete dhcp configuration to assign a stale IP that may already be leased to another device on the network.

The fix is to backport the AppArmor profile updates from https://launchpad.net/ubuntu/+source/isc-dhcp/4.2.4-7ubuntu14

diff -pruN 4.2.4-7ubuntu13/debian/apparmor-profile.dhclient 4.2.4-7ubuntu14/debian/apparmor-profile.dhclient
--- 4.2.4-7ubuntu13/debian/apparmor-profile.dhclient 2014-06-25 12:05:29.000000000 +0000
+++ 4.2.4-7ubuntu14/debian/apparmor-profile.dhclient 2014-08-27 14:01:23.000000000 +0000
@@ -74,11 +74,15 @@
   /var/lib/NetworkManager/*lease r,
   signal (receive) peer=/usr/sbin/NetworkManager,
   ptrace (readby) peer=/usr/sbin/NetworkManager,
+ network inet dgram,
+ network inet6 dgram,
 }

 /usr/lib/connman/scripts/dhclient-script {
   #include <abstractions/base>
   #include <abstractions/dbus>
   /usr/lib/connman/scripts/dhclient-script mr,
+ network inet dgram,
+ network inet6 dgram,
 }

diff -pruN 4.2.4-7ubuntu13/debian/changelog 4.2.4-7ubuntu14/debian/changelog
--- 4.2.4-7ubuntu13/debian/changelog 2014-06-25 12:31:57.000000000 +0000
+++ 4.2.4-7ubuntu14/debian/changelog 2014-08-27 14:04:04.000000000 +0000
@@ -1,3 +1,10 @@
+isc-dhcp (4.2.4-7ubuntu14) utopic; urgency=medium
+
+ * debian/apparmor-profile.dhclient: add file_inherit inet{,6} dgram rules
+ for child profiles
+
+ -- Jamie Strandboge <email address hidden> Wed, 27 Aug 2014 09:01:46 -0500
+
 isc-dhcp (4.2.4-7ubuntu13) utopic; urgency=medium

   * apparmor-profile.dhclient: allow signal receive and ptrace readby by

Revision history for this message
alp (atoker) wrote :

And if you're hand-applying the patch from #4 you can make the changes to /etc/apparmor.d/sbin.dhclient and reload the configuration manually:

$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ service apparmor restart

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in isc-dhcp (Ubuntu):
status: New → Confirmed
no longer affects: apparmor (Ubuntu)
summary: - apparmor denied operation file_inherit from networkmanager
+ apparmor denied operation file_inherit from networkmanager when using
+ HWE kernel
Changed in isc-dhcp (Ubuntu Vivid):
status: Confirmed → Fix Released
Changed in isc-dhcp (Ubuntu Trusty):
status: New → Triaged
Changed in isc-dhcp (Ubuntu Trusty):
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
description: updated
Changed in isc-dhcp (Ubuntu Trusty):
status: Triaged → In Progress
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

4.2.4-7ubuntu12.1 uploaded to trusty-proposed and is awaiting approval.

Changed in isc-dhcp (Ubuntu Trusty):
assignee: Jamie Strandboge (jdstrand) → nobody
Revision history for this message
stargazer (stargazer05) wrote :

Thanks, I will test the patched package, as soon as it will land in trusty-proposed.

Revision history for this message
alp (atoker) wrote :

Good work Jamie.

For the record this issue also affected networking in the community-maintained* Raspberry Pi distribution of Ubuntu Trusty where "the 3.13 kernel has been replaced with an updated 3.18 kernel". They might want to build an updated image once this makes it into the updates repo though I don't know who to ping about that.

* https://wiki.ubuntu.com/ARM/RaspberryPi

Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Bernhard, or anyone else affected,

Accepted isc-dhcp into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/isc-dhcp/4.2.4-7ubuntu12.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in isc-dhcp (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
stargazer (stargazer05) wrote :

Tested packages: amd64
isc-dhcp-client 4.2.4-7ubuntu12.1
isc-dhcp-common 4.2.4-7ubuntu12.1

with kernels: amd64
vivid-lts 3.19.0-10.10
utopic-lts 3.16.0- 34.27

No "apparmor="DENIED" operation"-messages anymore => the patched packages work.

Thank you for your support!
Best regards, Bernhard

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.2.4-7ubuntu12.1

---------------
isc-dhcp (4.2.4-7ubuntu12.1) trusty-proposed; urgency=medium

  * debian/apparmor-profile.dhclient: add 'network inet dgram' and
    'network inet6 dgram' to nm-dhcp-helper and dhclient-script for HWE
    kernels (LP: #1417658)
 -- Jamie Strandboge <email address hidden> Mon, 30 Mar 2015 12:24:24 -0500

Changed in isc-dhcp (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for isc-dhcp has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Rob Traders (rob-traderspit) wrote :
Download full text (3.4 KiB)

This bug is imho not fixed for my Ubuntu 14.04.2 LTS Server with this current "fixed" version of isc-dhcp-server 4.2.4-7ubuntu12.1.

I assume the lease file can't be rotated because its owned by root.

# ls -la /var/lib/dhcp
total 24
5374571 drwxr-xr-x 2 root root 4096 Apr 19 14:54 .
5374092 drwxr-xr-x 92 root root 4096 Apr 4 17:31 ..
5374293 -rw-r--r-- 1 root root 6319 Apr 19 14:54 dhcpd.leases
5379328 -rw-r--r-- 1 root root 6319 Apr 19 14:53 dhcpd.leases~

It occours also after a restart of isc-dhcp-server.
The only quick solution for me was to add a "chown .." in the /etc/init.d/isc-dhcp-server startscript (at the end of the start/stop/restart sections, i.e. to prevent overwrites during process starts

 restart | force-reload)
  test_config
  $0 stop
  sleep 2
  $0 start
  if [ "$?" != "0" ]; then
   exit 1
  fi
  chown dhcpd /var/lib/dhcp/*
  ;;

additional I changed "chown root:root" to "chown dhcpd:dhcpd" in the file: /etc/init/isc-dhcp-server.conf

    # Allow dhcp server to write lease and pid file as 'dhcpd' user
    mkdir -p /var/run/dhcp-server
    chown dhcpd:dhcpd /var/run/dhcp-server

    # The leases files need to be root:root even when dropping privileges
    [ -e /var/lib/dhcp/dhcpd.leases ] || touch /var/lib/dhcp/dhcpd.leases
 #chown root:root /var/lib/dhcp /var/lib/dhcp/dhcpd.leases
     chown dhcpd:dhcpd /var/lib/dhcp /var/lib/dhcp/dhcpd.leases
    if [ -e /var/lib/dhcp/dhcpd.leases~ ]; then
        #chown root:root /var/lib/dhcp/dhcpd.leases~
        chown dhcpd:dhcpd /var/lib/dhcp/dhcpd.leases~
    fi

The properties of the affected Ubuntu system (dhclient is disabled)

# dpkg -l |grep isc-dhcp-server
ii isc-dhcp-server 4.2.4-7ubuntu12.1 amd64 ISC DHCP server for automatic IP address assignment

# uname -a
Linux gandalf 3.13.0-49-generic #83-Ubuntu SMP Fri Apr 10 20:11:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/issue
Ubuntu 14.04.2 LTS \n \l

Apparmor config looks like

# grep leases /etc/apparmor.d/usr.sbin.dhcpd
  /var/lib/dhcp/dhcpd{,6}.leases* lrw,
  /etc/dhcpd{,6}.leases* lrw,
  /{,var/}run/eucalyptus/net/*.leases* lrw,

# tail -f syslog
Apr 19 16:51:06 gandalf dhcpd: Wrote 24 leases to leases file.
Apr 19 16:51:06 gandalf dhcpd: Can't backup lease database /var/lib/dhcp/dhcpd.leases to /var/lib/dhcp/dhcpd.leases~: Operation not permitted
Apr 19 16:51:06 gandalf dhcpd: Added reverse map from 10.2.10.10.in-addr.arpa. to lab-01.lab.foo.bar.
Apr 19 16:51:06 gandalf kernel: [14157.954888] audit_printk_skb: 57 callbacks suppressed
Apr 19 16:51:06 gandalf kernel: [14157.954892] type=1702 audit(1429455066.150:174): op=linkat ppid=1 pid=2240 auid=4294967295 uid=121 gid=130 euid=121 suid=121 fsuid=121 egid=130 sgid=130 fsgid=130 tty=(none) ses=4294967295 comm="dhcpd" exe="/usr/sbin/dhcpd" res=0
Apr 19 16:51:06 gandalf kernel: [14157.954899] type=1302 audit(1429455066.150:175): item=0 name="/var/lib/dhcp/dhcpd.leases" inode=5375035 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

# tail -f /var/log/kern.log
Apr 19 16:51:06 gandalf kernel: [14157.954892] type=1702 audit(1429455066.150:174): op=linkat ppid=1 pid=2240 auid=4294967295 uid=121 gid=130 euid=121 suid=121 fsuid=1...

Read more...

Revision history for this message
alp (atoker) wrote :

Rob Traders (rob-traderspit) in #15, your report looks like an unrelated issue - perhaps file a new bug? This one was about apparmor network policies with updated kernels and the issue has been verified fixed by many users.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers