Ubuntu
isc-kea package

AppArmor missing file_lock for logger_lockfile

Bug #2121327 reported by Haw Loeung
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
isc-kea (Ubuntu)
Fix Released
Undecided
Jonas Jelten
Noble
Fix Released
Undecided
Jonas Jelten
Plucky
Fix Released
Undecided
Jonas Jelten

Bug Description

[ Impact ]

 * Apparmor denies access to lock the file /run/lock/kea/logger_lockfile
   which is used by kea internally for its logging system.

 * Since this is intended, allowing the "k" mask resolves the problem

[ Test Plan ]

 * install kea-dhcp4-server
 * execute the lease file cleanup service:
   sudo -u _kea KEA_LOCKFILE_DIR=/run/lock/kea kea-lfc -d -4 -x /var/lib/kea/kea-leases4.csv.2 -i /var/lib/kea/kea-leases4.csv.1 -o /var/lib/kea/kea-leases4.csv.output -f /var/lib/kea/kea-leases4.csv.completed -p /var/lib/kea/kea-leases4.csv.pid -c ignored-path
 * observe errors:
   * dmesg:
[ 3515.694149] audit: type=1400 audit(1757081326.248:132): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2423 comm="kea-lfc" requested_mask="k" denied_mask="k" fsuid=109 ouid=109

   * kea-lfc stdout:
2025-09-05 16:08:46.247 ERROR [DhcpLFC/2423.135017416030656] Unable to lock logger lockfile
2025-09-05 16:08:46.247 INFO [DhcpLFC/2423.135017416030656] LFC_START Starting lease file cleanup

 * when fixed, observe no dmesg output and kea-lfc log is clean:
2025-09-05 16:09:17.756 INFO [DhcpLFC/2431.133913692117440] LFC_START Starting lease file cleanup

[ Where problems could occur ]

 * Since this is a just new permission allowed, regression potential is low.
 * Otherwise, there could be issues due to the update rollout/service restart.

[ Other Info ]

 * Fixed in debian through https://salsa.debian.org/debian/isc-kea/-/merge_requests/62

 * in a fresh noble installation, running standalone kea-lfc accesses /var/run/kea/logger_lockfile = /run/kea/logger_lockfile (due to /var/run -> /run) and the rule exists and is fine there.
 * but kea-dhcp4-server.service has env KEA_LOCKFILE_DIR=/run/lock/kea set, and this location doesn't have set the k-mask set for locking.

[ Original report ]

Hi,

Seeing:

| [Sat Aug 23 21:53:19 2025] audit: type=1400 audit(1755985935.037:12140): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114
| [Sat Aug 23 21:53:19 2025] audit: type=1400 audit(1755985935.039:12141): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114
| [Sat Aug 23 21:53:26 2025] audit: type=1400 audit(1755985942.084:12142): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114
| [Sat Aug 23 21:53:26 2025] audit: type=1400 audit(1755985942.085:12143): apparmor="DENIED" operation="file_lock" class="file" profile="kea-lfc" name="/run/lock/kea/logger_lockfile" pid=2237 comm="kea-dhcp4" requested_mask="k" denied_mask="k" fsuid=114 ouid=114

The AppArmor profile allows `file_lock` to `/run/kea/logger_lockfile` but not to `/run/lock/kea/logger_lockfile`. Changing it to this fixes it for me:

```
diff --git a/apparmor.d/usr.sbin.kea-lfc b/apparmor.d/usr.sbin.kea-lfc
index ae165fa..11f6a92 100644
--- a/apparmor.d/usr.sbin.kea-lfc
+++ b/apparmor.d/usr.sbin.kea-lfc
@@ -11,7 +11,7 @@ profile kea-lfc /usr/sbin/kea-lfc {
   /usr/sbin/kea-lfc mr,

   owner /run/kea/logger_lockfile rwk,
- owner /run/lock/kea/logger_lockfile rw,
+ owner /run/lock/kea/logger_lockfile rwk,

   # Control sockets
   # Before LP: #1863100, these were in /tmp. For compatibility, let's keep both
```

See original description

Related branches

~jj/ubuntu/+source/isc-kea:lp2121327-fix-apparmor-lockfile-plucky
git-ubuntu bot: Approve
Athos Ribeiro (community): Approve
Canonical Server Reporter: Pending requested
Diff: 41 lines (+9/-2)
3 files modified
debian/changelog (+6/-0)
debian/control (+2/-1)
debian/usr.sbin.kea-lfc (+1/-1)
~jj/ubuntu/+source/isc-kea:lp2121327-fix-apparmor-lockfile-noble
git-ubuntu bot: Approve
Athos Ribeiro (community): Approve
Canonical Server Reporter: Pending requested
Diff: 27 lines (+7/-1)
2 files modified
debian/changelog (+6/-0)
debian/usr.sbin.kea-lfc (+1/-1)
~jj/ubuntu/+source/isc-kea:fix-apparmor-lockfile
Andreas Hasenack: Disapprove
Canonical Server Reporter: Pending requested
Diff: 41 lines (+9/-2)
3 files modified
debian/changelog (+6/-0)
debian/control (+2/-1)
debian/usr.sbin.kea-lfc (+1/-1)
Jonas Jelten (jj)
tags: added: server-todo
Changed in isc-kea (Ubuntu):
status: New → Triaged
Changed in isc-kea (Ubuntu Noble):
status: New → Triaged
Changed in isc-kea (Ubuntu Plucky):
status: New → Triaged
Jonas Jelten (jj)
Changed in isc-kea (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Jonas Jelten (jj)
Jonas Jelten (jj)
Changed in isc-kea (Ubuntu Noble):
assignee: nobody → Jonas Jelten (jj)
Changed in isc-kea (Ubuntu Plucky):
assignee: nobody → Jonas Jelten (jj)
Revision history for this message
Jonas Jelten (jj) wrote :

@hloeung we fixed this in debian, but to backport it to noble would you kindly add information to the [test plan] above, i.e. what you can do to verify the bug is gone?
Then once we placed the package to proposed, you could use this test to confirm we have indeed fixed the bug now.

description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This is being done via debian. As soon as the debian upload is ingested by launchpad, we can trigger a sync for questing.

Andreas Hasenack (ahasenack)
Changed in isc-kea (Ubuntu Plucky):
status: Triaged → Fix Committed
Revision history for this message
Athos Ribeiro (athos) wrote :

This bug was fixed in the package isc-kea - 2.6.3-2

---------------
isc-kea (2.6.3-2) unstable; urgency=medium

  [ Jonas Jelten ]
  * d/usr.sbin.kea-lfc: add lock permission to logger_lockfile (LP: #2121327)

  [ Athos Ribeiro ]
  * d/control: bump standards version
  * d/copyright: update Debian copyright

 -- Athos Ribeiro <email address hidden> Wed, 27 Aug 2025 13:35:39 -0300

Changed in isc-kea (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

synced from debian via https://launchpad.net/ubuntu/+source/isc-kea/2.6.3-2

Jonas Jelten (jj)
Changed in isc-kea (Ubuntu Plucky):
status: Fix Committed → Triaged
Revision history for this message
Jonas Jelten (jj) wrote :

I've proposed merges for the patches to plucky and noble.

@hloeung please update the original comment to add missing information, especially the test plan.

Jonas Jelten (jj)
Changed in isc-kea (Ubuntu Plucky):
status: Triaged → In Progress
Changed in isc-kea (Ubuntu Noble):
status: Triaged → In Progress
Jonas Jelten (jj)
description: updated
Jonas Jelten (jj)
description: updated
Revision history for this message
Julian Andres Klode (juliank) wrote :

 * Since this is a just new permission allowed, regression potential is low.
 * Otherwise, there could be issues due to the update rollout/service restart.

I anticipate since locking actually works now there may be issues surrounding locking, and they should have been mentioned but I don't think it's a blocker.

Changed in isc-kea (Ubuntu Plucky):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-plucky
Revision history for this message
Julian Andres Klode (juliank) wrote : Please test proposed package

Hello Haw, or anyone else affected,

Accepted isc-kea into plucky-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/isc-kea/2.6.1-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-plucky to verification-done-plucky. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-plucky. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in isc-kea (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed-noble
Revision history for this message
Julian Andres Klode (juliank) wrote :

Hello Haw, or anyone else affected,

Accepted isc-kea into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/isc-kea/2.4.1-3ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Jonas Jelten (jj) wrote (last edit ):

I verified the bug is fixed, tested on fresh VMs:
-> noble 2.4.1-3ubuntu0.1
-> plucky 2.6.1-1ubuntu0.1

the apparmor DENY doesn't occur after the profile was replaced and one executes:

sudo -u _kea KEA_LOCKFILE_DIR=/run/lock/kea kea-lfc -d -4 -x /var/lib/kea/kea-leases4.csv.2 -i /var/lib/kea/kea-leases4.csv.1 -o /var/lib/kea/kea-leases4.csv.output -f /var/lib/kea/kea-leases4.csv.completed -p /var/lib/kea/kea-leases4.csv.pid -c ignored-path

tags: added: verification-done-noble verification-done-plucky
removed: verification-needed-noble verification-needed-plucky
tags: added: verification-done
removed: verification-needed
Revision history for this message
Nick Rosbrook (enr0n) wrote : Update Released

The verification of the Stable Release Update for isc-kea has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-kea - 2.4.1-3ubuntu0.1

---------------
isc-kea (2.4.1-3ubuntu0.1) noble; urgency=medium

  * d/usr.sbin.kea-lfc: add lock permission to logger_lockfile (LP: #2121327)

 -- Jonas Jelten <email address hidden> Tue, 26 Aug 2025 15:35:25 +0200

Changed in isc-kea (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-kea - 2.6.1-1ubuntu0.1

---------------
isc-kea (2.6.1-1ubuntu0.1) plucky; urgency=medium

  * d/usr.sbin.kea-lfc: add lock permission to logger_lockfile (LP: #2121327)

 -- Jonas Jelten <email address hidden> Tue, 26 Aug 2025 15:35:25 +0200

Changed in isc-kea (Ubuntu Plucky):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.