apparmor profile denying access to /proc/*/net/dev

Bug #688186 reported by Dave Walker on 2010-12-09
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
High
Jamie Strandboge

Bug Description

[ 11.905752] type=1400 audit(1291909447.147:7): apparmor="DENIED" operation="open" parent=1022 profile="/usr/sbin/dhcpd" name="/proc/1053/net/dev" pid=1053 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=104 ouid=0

As suggested by jdstrand, adding "@{PROC}/[0-9]*/net/dev r," to /etc/apparmor.d/usr.sbin.dhcpd resolves this.

Related branches

Dave Walker (davewalker) on 2010-12-09
Changed in isc-dhcp (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in isc-dhcp (Ubuntu):
importance: Undecided → High
milestone: none → natty-alpha-2
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.1-P1-15ubuntu2

---------------
isc-dhcp (4.1.1-P1-15ubuntu2) natty; urgency=low

  * debian/apparmor-profile.dhcpd: allow read access to @{PROC}/[0-9]*/net/dev
    LP: #688186
  * debian/apparmor-profile.dhclient: tighten to allow access to
    @{PROC}/[0-9]*/net/**, not @{PROC}/sys/net
  * debian/isc-dhcp-client.postinst: move the old dhclient3 AppArmor aside on
    upgrade. This is needed to properly support upgrades to 11.04 and 12.04.
    LP: #688191
 -- Jamie Strandboge <email address hidden> Thu, 09 Dec 2010 11:21:53 -0600

Changed in isc-dhcp (Ubuntu):
status: In Progress → Fix Released
Tom (thomasmca) wrote :
Download full text (5.7 KiB)

This bug still exists on my 64bit Kubuntu Natty installation. /etc/apparmor.d/usr.sbin.dhcpd does not exist, and isc-dhcp-client is version 4.1.1-P1-15ubuntu9.1

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 11.04
Release: 11.04
Codename: natty

$ dmesg | grep apparmor
[ 17.963014] type=1400 audit(1332158159.903:2): apparmor="STATUS" operation="profile_load" name="/sbin/dhclient" pid=571 comm="apparmor_parser"
[ 17.963980] type=1400 audit(1332158159.903:3): apparmor="STATUS" operation="profile_load" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=571 comm="apparmor_parser"
[ 17.964606] type=1400 audit(1332158159.903:4): apparmor="STATUS" operation="profile_load" name="/usr/lib/connman/scripts/dhclient-script" pid=571 comm="apparmor_parser"
[ 18.206374] type=1400 audit(1332158160.143:5): apparmor="STATUS" operation="profile_load" name="/usr/share/gdm/guest-session/Xsession" pid=992 comm="apparmor_parser"
[ 18.206701] type=1400 audit(1332158160.143:6): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient" pid=994 comm="apparmor_parser"
[ 18.207198] type=1400 audit(1332158160.153:7): apparmor="STATUS" operation="profile_load" name="/usr/sbin/mysqld-akonadi" pid=998 comm="apparmor_parser"
[ 18.207642] type=1400 audit(1332158160.153:8): apparmor="STATUS" operation="profile_load" name="/usr/lib/cups/backend/cups-pdf" pid=997 comm="apparmor_parser"
[ 18.207703] type=1400 audit(1332158160.153:9): apparmor="STATUS" operation="profile_replace" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=994 comm="apparmor_parser"
[ 18.207815] type=1400 audit(1332158160.153:10): apparmor="STATUS" operation="profile_load" name="/usr/sbin/mysqld-akonadi///usr/sbin/mysqld" pid=998 comm="apparmor_parser"
[ 18.208194] type=1400 audit(1332158160.153:11): apparmor="STATUS" operation="profile_replace" name="/usr/lib/connman/scripts/dhclient-script" pid=994 comm="apparmor_parser"
[ 523.005483] type=1400 audit(1332158666.880:36): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/proc/modules" pid=3419 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 523.009195] type=1400 audit(1332158666.880:37): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[ 523.027179] type=1400 audit(1332158666.900:38): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[ 523.027206] type=1400 audit(1332158666.900:39): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[ 523.027224] type=1400 audit(1332158666.900:40): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" reques...

Read more...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers