Many instances of 'apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0' in syslog

Bug #1546455 reported by Iain Lane on 2016-02-17
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
AppArmor
Medium
Tyler Hicks
apparmor (Ubuntu)
Medium
Tyler Hicks
ntp (Ubuntu)
Medium
Jamie Strandboge

Bug Description

I just dist-upgraded to this version of ntp which arrived in xenial very recently. Since then I'm being constantly spammed with libnotify notifications about the following

Feb 17 09:59:55 raleigh.local kernel: audit: type=1400 audit(1455703195.606:429): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0
Feb 17 09:59:55 raleigh.local kernel: audit: type=1400 audit(1455703195.606:430): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0
Feb 17 09:59:55 raleigh.local kernel: audit: type=1400 audit(1455703195.606:431): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0
Feb 17 09:59:55 raleigh.local kernel: audit: type=1400 audit(1455703195.606:432): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0
Feb 17 09:59:55 raleigh.local kernel: audit: type=1400 audit(1455703195.606:433): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0
[…]
Feb 17 09:59:59 raleigh.local kernel: audit: type=1400 audit(1455703199.526:434): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0
Feb 17 09:59:59 raleigh.local kernel: audit: type=1400 audit(1455703199.526:435): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0
Feb 17 09:59:59 raleigh.local kernel: audit: type=1400 audit(1455703199.526:436): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0
Feb 17 09:59:59 raleigh.local kernel: audit: type=1400 audit(1455703199.526:437): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0
Feb 17 09:59:59 raleigh.local kernel: audit: type=1400 audit(1455703199.526:438): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0

argh!

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: ntp 1:4.2.8p4+dfsg-3ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-2.16-generic 4.4.0
Uname: Linux 4.4.0-2-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Feb 17 09:57:02 2016
InstallationDate: Installed on 2012-10-07 (1227 days ago)
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Beta amd64 (20121007)
SourcePackage: ntp
UpgradeStatus: Upgraded to xenial on 2013-05-07 (1016 days ago)

Related branches

Iain Lane (laney) wrote :
Iain Lane (laney) on 2016-02-17
Changed in ntp (Ubuntu):
assignee: nobody → Kick In (kick-d)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ntp (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

I see that ntp is now using AF_UNSPEC in a number of places. I tried the following rules:
  # ntp uses AF_INET, AF_INET6 and AF_UNSPEC
  network dgram,
  network stream,

which should fix it, but still get denials. I then tried all of the following:
  network udp,
  network tcp,
  network dgram,
  network stream,
  network inet,
  network inet6,
  network,

and the kernel is still denying.

Jamie Strandboge (jdstrand) wrote :

I'm going to upload a fix for ntp, but there is an apparmor bug that is preventing it from working, so adding an apparmor task.

Changed in ntp (Ubuntu):
assignee: Kick In (kick-d) → Jamie Strandboge (jdstrand)
status: Confirmed → In Progress
Changed in apparmor (Ubuntu):
status: New → Confirmed
assignee: nobody → Tyler Hicks (tyhicks)
tags: added: aa-kernel
Changed in ntp (Ubuntu):
status: In Progress → Fix Committed
Steve Beattie (sbeattie) wrote :

AF_UNSPEC is used in calls to getaddrinfo(3) to request either ipv4 or ipv6 addresses. In the parser, we've been filtering out AF_UNSPEC as an option. It's a simple enough patch to enable it:

Index: b/common/Make.rules
===================================================================
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -98,7 +98,7 @@ list_capabilities: /usr/include/linux/ca
 # to mediate. We use PF_ here since that is what is required in
 # bits/socket.h, but we will rewrite these as AF_.

-FILTER_FAMILIES=PF_UNSPEC PF_UNIX
+FILTER_FAMILIES=PF_UNIX

 __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')

However, there's some concern that because the value of AF_UNSPEC is 0, there might be some special handling of that case, or other unexpected issues.

That said, I'm able to reproduce the issue, and adding a rule 'network unspec dgram,' eliminated the rejections that ntpd was creating (whereas adding a rule 'network unspec raw,' as expected, did not).

Tyler Hicks (tyhicks) wrote :
Changed in apparmor (Ubuntu):
status: Confirmed → In Progress
Tyler Hicks (tyhicks) wrote :
Changed in apparmor:
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → Medium
status: New → Fix Committed
Tyler Hicks (tyhicks) wrote :

Passed QRT's test-apparmor.py in an Xenial amd64 VM.

The attachment "apparmor_2.10-3ubuntu2.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
Changed in ntp (Ubuntu):
importance: Undecided → Medium
Martin Pitt (pitti) wrote :

apparmor was already uploaded: https://launchpad.net/ubuntu/+source/apparmor/2.10-3ubuntu2

Unsubscribing sponsors.

Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.10-3ubuntu2

---------------
apparmor (2.10-3ubuntu2) xenial; urgency=medium

  * debian/patches/parser-allow-unspec-in-network-rules.patch: Allow
    apparmor_parser to support rules that use 'unspec' as the network protocol
    family. (LP: #1546455)

 -- Tyler Hicks <email address hidden> Thu, 18 Feb 2016 12:48:17 -0600

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released

Is in ntp since ntp_4.2.8p4+dfsg-3ubuntu2.dsc, marking fix released

Changed in ntp (Ubuntu):
status: Fix Committed → Fix Released
Christian Boltz (cboltz) wrote :

While support for "unspec" was added some months ago, the nptd profile in upstream bzr wasn't updated. I just did this - trunk r3583, 2.10 branch r3360, 2.9 branch r3090.

See also https://bugzilla.opensuse.org/show_bug.cgi?id=1009964

Christian Boltz (cboltz) wrote :

Fixed in AppArmor 2.11, 2.10.2 and 2.9.4

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.