ntpdate lock apparmor deny

Bug #1749389 reported by Christian Ehrhardt  on 2018-02-14
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ntp (Ubuntu)
Medium
Unassigned
Xenial
Medium
Unassigned
Artful
Medium
Unassigned

Bug Description

[Impact]

 * Apparmor denies access to lock it shares with ntpdate to ensure no
   issues due to concurrent access

[Test Case]

 1. get a container of target release
 2. install ntp
    apt install ntp
 3. watch dmesg on container-host
    dmesg -w
 4. restart ntp in container
    systemctl restart ntp
 => see (or no more after fix) apparmor denie:
    apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w"
    Note: to not be mislead, on xenial there is a remaining stdout appamor
    issue which is bug 1670408

[Regression Potential]

 * we are only slightly opening up the apparmor profile, but none of the
   changes poses a security risk so regression potential on it's own
   should be close to zero.

 * There is a potential issue if the locking (that now can succeed) would
   e.g. no more be freed up or the action behind the locking would cause
   issues.

[Other Info]

 * n/a

On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate.

That looks like:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w"

The rule we need is:
/run/lock/ntpdate wk,

Note: When we open up a SRU for ntp apparmor we should include the minot (bot on its own not SRu worthy) fix of bug 1741227

Changed in ntp (Ubuntu Xenial):
status: New → Triaged
Changed in ntp (Ubuntu Artful):
status: New → Triaged
Changed in ntp (Ubuntu Xenial):
importance: Undecided → Medium
Changed in ntp (Ubuntu Artful):
importance: Undecided → Medium
Changed in ntp (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
description: updated

Fix is trivial, but you never know - tetsing the bionic change in https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3144

auto profile replace on upgrade - ok
restart without apparmor issues - ok

Missed the right format in changelog :-/, but this is fixed in Bionic by https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p10+dfsg-5ubuntu7

Changed in ntp (Ubuntu):
status: Triaged → Fix Released

Bionic - ok
SRU Template - ok
Debdiff for X/T checked - ok
Tested X/A upload from ppa - ok.

I Identified another issue in the log as bug 1670408 which needs a fix in apparmor - not ntp.
That means this is ok to be uploaded (not gated by that finding).

description: updated
Changed in ntp (Ubuntu Xenial):
status: Triaged → In Progress
Changed in ntp (Ubuntu Artful):
status: Triaged → In Progress

fix in SRU queue (Atrful/Xenial) for review by the SRU Team

Hello ChristianEhrhardt, or anyone else affected,

Accepted ntp into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p4+dfsg-3ubuntu5.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ntp (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Changed in ntp (Ubuntu Artful):
status: In Progress → Fix Committed
tags: added: verification-needed-artful
Chris J Arges (arges) wrote :

Hello ChristianEhrhardt, or anyone else affected,

Accepted ntp into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p10+dfsg-5ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Verification of proposed:
xenial/artful as is on restart:
[2020349.483870] audit: type=1400 audit(1518622585.386:4875): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-xenial-test_<var-snap-lxd-common-lxd>" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=16784 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[2020342.768379] audit: type=1400 audit(1518622578.674:4870): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-artful-test_<var-snap-lxd-common-lxd>" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=16638 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

After upgrade from proposed:
- 1:4.2.8p4+dfsg-3ubuntu5.8
- 1:4.2.8p10+dfsg-5ubuntu3.2

The messages above are gone - so verified

tags: added: verification-done verification-done-artful verification-done-xenial
removed: verification-needed verification-needed-artful verification-needed-xenial

The verification of the Stable Release Update for ntp has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.8p10+dfsg-5ubuntu3.2

---------------
ntp (1:4.2.8p10+dfsg-5ubuntu3.2) artful; urgency=medium

  * d/apparmor-profile: avoid denies on argument checks (LP: #1741227)
  * d/apparmor-profile: fix denial checking for running ntpdate (LP: #1749389)

 -- Christian Ehrhardt <email address hidden> Wed, 14 Feb 2018 13:14:24 +0100

Changed in ntp (Ubuntu Artful):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu5.8

---------------
ntp (1:4.2.8p4+dfsg-3ubuntu5.8) xenial; urgency=medium

  * d/apparmor-profile: fix denial checking for running ntpdate (LP: #1749389)

 -- Christian Ehrhardt <email address hidden> Wed, 14 Feb 2018 13:10:39 +0100

Changed in ntp (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers