isc-dhcp-server AppArmor Denied on /proc/sys/net/ipv4/ip_local_port_range

Bug #1901373 reported by Steve Matos
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

The following AppArmor denial errors are shown on startup:

Oct 25 00:52:00 xxx kernel: [ 556.231990] audit: type=1400 audit(1603601520.710:32): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 25 00:52:00 xxx kernel: [ 556.232257] audit: type=1400 audit(1603601520.710:33): apparmor="DENIED" operation="open" profile="/usr/sbin/dhcpd" name="/proc/sys/net/ipv4/ip_local_port_range" pid=1982 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Fix is to edit /etc/apparmor.d/local/usr.sbin.dhcpd to have:
@{PROC}/sys/net/ipv4/ip_local_port_range r,

'lsb_release -rd':
Description: Ubuntu 20.04.1 LTS
Release: 20.04

isc-dhcp-server:
  Installed: 4.4.1-2.1ubuntu5
  Candidate: 4.4.1-2.1ubuntu5
  Version table:
 *** 4.4.1-2.1ubuntu5 500
        500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status

apparmor:
  Installed: 2.13.3-7ubuntu5.1
  Candidate: 2.13.3-7ubuntu5.1
  Version table:
 *** 2.13.3-7ubuntu5.1 500
        500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.13.3-7ubuntu5 500
        500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages

Revision history for this message
Michael Albert (albertmichaelj) wrote :

I can confirm that I am seeing this same behavior. The proposed fix also worked for me.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in isc-dhcp (Ubuntu):
status: New → Confirmed
Revision history for this message
Norman Henderson (norm-audrey) wrote :

Proposed fix does not work for me, gives AppArmor parser error at line 3: Found unexpected character '''

I am also puzzled that this apparmor profile is completely different in form than others proposed e.g. at:
https://github.com/Harvie/AppArmor-Profiles/blob/master/usr.sbin.dhcpd
???

Revision history for this message
Norman Henderson (norm-audrey) wrote :

Admitting I know very little about apparmor, here is the profile that worked for me:
# cat /etc/apparmor.d/usr.sbin.dhcpd

# vim:syntax=apparmor

#include <tunables/global>

/usr/sbin/dhcpd {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability chown,
  capability dac_override,
  capability net_bind_service,
  capability net_raw,
  capability setgid,
  capability setuid,
  capability sys_chroot,

  network inet raw,
  network packet raw,

  /etc/dhcp/dhcpd.conf r,
  /etc/dhcp/dhcpd6.conf r,
  /etc/bind/* r,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
  @{PROC}/net/dev r,
  /usr/sbin/dhcpd rmix,
  /var/lib/dhcp/dhcpd.leases* rwl,
  /var/lib/dhcp/dhcpd6.leases* rwl,
  /{,var/}run/dhcp-server/dhcpd.pid wl,
}

Revision history for this message
John Johansen (jjohansen) wrote :

@norm-audrey as I read it the proposed fix does not contain a ''' character. It is the single line

  @{PROC}/sys/net/ipv4/ip_local_port_range r,

do you perhaps also copy the following line?

  'lsb_release -rd':

That would indeed result in the reported error. I am not sure how the profile in comment #4 would fix the originally reported deny message except by causing dhcpd to not use the code path resulting in the denial.

As for the difference between the two profiles. They don't have a completely different form, both have evolved from a similar base so they have much in common but do have some differences. The profile from https://github.com/Harvie/AppArmor-Profiles/blob/master/usr.sbin.dhcpd is an older version of the one carried by the upstream project https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/profiles/extras/usr.sbin.dhcpd.

Beyond whitespace differences I see

different conf file locations

  /etc/dhcpd.conf r,
  /etc/named.d/* r,

vs.

  /etc/dhcp/dhcpd.conf r,
  /etc/dhcp/dhcpd6.conf r,
  /etc/bind/* r,

broader lease location in the old upstream version

  /var/lib/dhcp/{db/,}dhcpd.leases* rwl,

vs.

  /var/lib/dhcp/dhcpd6.leases* rwl,

support for ipv6 leases in your version

  /var/lib/dhcp/{db/,}dhcpd.leases* rwl,

vs

  /var/lib/dhcp/dhcpd.leases* rwl,
  /var/lib/dhcp/dhcpd6.leases* rwl,

note: current upstream has broader leases and ipv6

  /var/lib/dhcp/{db/,}dhcpd{6,}.leases* rwl,

different pid file location

  /{,var/}run/dhcpd.pid wl

vs.

  /{,var/}run/dhcp-server/dhcpd.pid wl,

Some of this could come down to system configuration of dhcpd.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers