apparmor denial to several paths to binaries
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ntp (Ubuntu) |
Fix Released
|
Low
|
Christian Ehrhardt | ||
Artful |
Fix Released
|
Low
|
Unassigned |
Bug Description
[Impact]
* Apparmor denies access to bin directories which the option parsing code
of ntp touches.
[Test Case]
1. get a container of target release
2. install ntp
apt install ntp
3. watch dmesg on container-host
dmesg -w
4. restart ntp in container
systemctl restart ntp
=> see (or no more after fix) apparmor denie:
apparmor="DENIED" operation="open" profile=
apparmor="DENIED" operation="open" profile=
[Regression Potential]
* we are only slightly opening up the apparmor profile, but none of the
changes poses a security risk so regression potential on it's own
should be close to zero.
* we discussed if this would be a security risk but came to the
conclusion that r-only should be ok (the same content anyone can grab
from the archive by installing the packages)
[Other Info]
* n/a
Issue shows up (non fatal) as:
apparmor="DENIED" operation="open" profile=
apparmor="DENIED" operation="open" profile=
Since non crit this is mostyl about many of us being curious why it actually does do it :-)
Changed in ntp (Ubuntu): | |
assignee: | nobody → ChristianEhrhardt (paelzer) |
status: | Confirmed → In Progress |
description: | updated |
I found a setup that triggers it again (often but not always happening).
Once reproducible I took backtraces of the sys open to see what in ntp does that.
Both opens are from the same place. 9df90 "/usr/local/sbin") posix/opendir. c:191 posix/opendir. c 9df90 "/usr/local/sbin") at ../sysdeps/ posix/opendir. c:191 x86_64- linux-gnu/ libopts. so.25 x86_64- linux-gnu/ libopts. so.25 x86_64- linux-gnu/ libopts. so.25 0x7ffc9999f0dc, pargv=0x7ffc999 9f0d0) at ntpd.c:359 0b0e0 <main>, argc=8, argv=0x7ffc9999 f6b8, init=<optimized out>, <optimized out>, stack_end= 0x7ffc9999f6a8) at ../csu/ libc-start. c:308
Thread 1 "ntpd" hit Catchpoint 1 (returned from syscall open), 0x00007f8afd8fcd53 in __opendir (name=0x7ffc999
at ../sysdeps/
191 in ../sysdeps/
(gdb) bt
#0 0x00007f8afd8fcd53 in __opendir (name=0x7ffc999
#1 0x00007f8afe5c6ba7 in ?? () from /usr/lib/
#2 0x00007f8afe5cdde6 in ?? () from /usr/lib/
#3 0x00007f8afe5cfa4f in optionProcess () from /usr/lib/
#4 0x000055c12781ae7f in parse_cmdline_opts (pargc=
#5 0x000055c12781af8d in ntpdmain (argc=<optimized out>, argv=<optimized out>) at ntpd.c:575
#6 0x00007f8afd84a1c1 in __libc_start_main (main=0x55c1278
fini=<optimized out>, rtld_fini=
#7 0x000055c12780b11a in _start ()