2018-02-14 08:11:14 |
Christian Ehrhardt |
bug |
|
|
added bug |
2018-02-14 08:12:35 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Artful |
|
2018-02-14 08:12:35 |
Christian Ehrhardt |
bug task added |
|
ntp (Ubuntu Artful) |
|
2018-02-14 08:12:35 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Xenial |
|
2018-02-14 08:12:35 |
Christian Ehrhardt |
bug task added |
|
ntp (Ubuntu Xenial) |
|
2018-02-14 08:13:06 |
Christian Ehrhardt |
ntp (Ubuntu Xenial): status |
New |
Triaged |
|
2018-02-14 08:13:08 |
Christian Ehrhardt |
ntp (Ubuntu Artful): status |
New |
Triaged |
|
2018-02-14 08:13:09 |
Christian Ehrhardt |
ntp (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2018-02-14 08:13:11 |
Christian Ehrhardt |
ntp (Ubuntu Artful): importance |
Undecided |
Medium |
|
2018-02-14 08:13:12 |
Christian Ehrhardt |
ntp (Ubuntu): importance |
Undecided |
Medium |
|
2018-02-14 08:13:14 |
Christian Ehrhardt |
ntp (Ubuntu): status |
New |
Triaged |
|
2018-02-14 08:17:47 |
Christian Ehrhardt |
description |
On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate.
That looks like:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w"
The rule we need is:
/run/lock/ntpdate wk, |
[Impact]
* Apparmor denies access to lock it shares with ntpdate to ensure no
issues due to concurrent access
[Test Case]
1. get a container of target release
2. install ntp
apt install ntp
3. watch dmesg on container-host
dmesg -w
4. restart ntp in container
systemctl restart ntp
=> see (or no more after fix) apparmor denie:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w"
[Regression Potential]
* we are only slightly opening up the apparmor profile, but none of the
changes poses a security risk so regression potential on it's own
should be close to zero.
* There is a potential issue if the locking (that now can succeed) would
e.g. no more be freed up or the action behind the locking would cause
issues.
[Other Info]
* n/a
On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate.
That looks like:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w"
The rule we need is:
/run/lock/ntpdate wk, |
|
2018-02-14 12:17:11 |
Christian Ehrhardt |
ntp (Ubuntu): status |
Triaged |
Fix Released |
|
2018-02-14 14:36:05 |
Christian Ehrhardt |
description |
[Impact]
* Apparmor denies access to lock it shares with ntpdate to ensure no
issues due to concurrent access
[Test Case]
1. get a container of target release
2. install ntp
apt install ntp
3. watch dmesg on container-host
dmesg -w
4. restart ntp in container
systemctl restart ntp
=> see (or no more after fix) apparmor denie:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w"
[Regression Potential]
* we are only slightly opening up the apparmor profile, but none of the
changes poses a security risk so regression potential on it's own
should be close to zero.
* There is a potential issue if the locking (that now can succeed) would
e.g. no more be freed up or the action behind the locking would cause
issues.
[Other Info]
* n/a
On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate.
That looks like:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w"
The rule we need is:
/run/lock/ntpdate wk, |
[Impact]
* Apparmor denies access to lock it shares with ntpdate to ensure no
issues due to concurrent access
[Test Case]
1. get a container of target release
2. install ntp
apt install ntp
3. watch dmesg on container-host
dmesg -w
4. restart ntp in container
systemctl restart ntp
=> see (or no more after fix) apparmor denie:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w"
Note: to not be mislead, on xenial there is a remaining stdout appamor
issue which is bug 1670408
[Regression Potential]
* we are only slightly opening up the apparmor profile, but none of the
changes poses a security risk so regression potential on it's own
should be close to zero.
* There is a potential issue if the locking (that now can succeed) would
e.g. no more be freed up or the action behind the locking would cause
issues.
[Other Info]
* n/a
On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate.
That looks like:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w"
The rule we need is:
/run/lock/ntpdate wk, |
|
2018-02-14 14:36:14 |
Christian Ehrhardt |
ntp (Ubuntu Xenial): status |
Triaged |
In Progress |
|
2018-02-14 14:36:15 |
Christian Ehrhardt |
ntp (Ubuntu Artful): status |
Triaged |
In Progress |
|
2018-02-14 14:48:01 |
Chris J Arges |
ntp (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2018-02-14 14:48:02 |
Chris J Arges |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2018-02-14 14:48:05 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
2018-02-14 14:48:09 |
Chris J Arges |
tags |
|
verification-needed verification-needed-xenial |
|
2018-02-14 14:50:33 |
Chris J Arges |
ntp (Ubuntu Artful): status |
In Progress |
Fix Committed |
|
2018-02-14 14:50:37 |
Chris J Arges |
tags |
verification-needed verification-needed-xenial |
verification-needed verification-needed-artful verification-needed-xenial |
|
2018-02-14 17:00:14 |
Christian Ehrhardt |
tags |
verification-needed verification-needed-artful verification-needed-xenial |
verification-done verification-done-artful verification-done-xenial |
|
2018-02-22 08:31:47 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2018-02-22 08:32:04 |
Launchpad Janitor |
ntp (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
2018-02-22 08:34:57 |
Launchpad Janitor |
ntp (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|