apparmor DENIED errors

Bug #1796189 reported by Andreas Hasenack on 2018-10-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squid (Ubuntu)
Low
Andreas Hasenack

Bug Description

When the squid apparmor profile is enabled, two types of apparmor errors appear in the kernel logs:

audit: type=1400 audit(1537265313.920:230): apparmor="DENIED" operation="capable" profile="/usr/sbin/squid" pid=2460 comm="squid" capability=12 capname="net_admin"

and

audit: type=1400 audit(1537596453.254:301): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/squid" name="run/dbus/system_bus_socket" pid=24740 comm="squid" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

These can be resolved via these changes to the apparmor profile:

diff --git a/debian/usr.sbin.squid b/debian/usr.sbin.squid
index 07a9642ab..df3a9a38f 100644
--- a/debian/usr.sbin.squid
+++ b/debian/usr.sbin.squid
@@ -3,7 +3,7 @@
 # vim:syntax=apparmor
 #include <tunables/global>

-/usr/sbin/squid {
+/usr/sbin/squid flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
@@ -18,6 +18,7 @@
   # alternatively include the <abstractions/ssl_keys> abstraction, which
   # gives read access to the entire contents of /etc/ssl

+ capability net_admin,
   capability net_raw,
   capability setuid,
   capability setgid,

Related branches

Changed in squid (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: Triaged → In Progress
Andreas Hasenack (ahasenack) wrote :

Brief irc conversation about these changes, from https://irclogs.ubuntu.com/2018/10/04/%23ubuntu-devel.html#t18:22:
out 04 15:22:27 <ahasenack> infinity: apply this to /etc/apparmor.d/usr.sbin.squid: https://pastebin.ubuntu.com/p/R6Z84ZdsfP/
out 04 15:22:41 <ahasenack> then issue sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.squid
out 04 15:22:52 <ahasenack> jdstrand: looks ok? ^
(...)
out 04 15:27:28 <jdstrand> ahasenack: lgtm
out 04 15:27:33 <ahasenack> jdstrand: thx

Mentioned pastebin is:
--- etc/apparmor.d/usr.sbin.squid
+++ etc/apparmor.d/usr.sbin.squid
@@ -3,7 +3,7 @@
 # vim:syntax=apparmor
 #include <tunables/global>

-/usr/sbin/squid {
+/usr/sbin/squid flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/kerberosclient>
   #include <abstractions/nameservice>
@@ -18,6 +18,7 @@
   # alternatively include the <abstractions/ssl_keys> abstraction, which
   # gives read access to the entire contents of /etc/ssl

+ capability net_admin,
   capability net_raw,
   capability setuid,
   capability setgid,

Launchpad Janitor (janitor) wrote :
Download full text (3.9 KiB)

This bug was fixed in the package squid - 4.4-1ubuntu1

---------------
squid (4.4-1ubuntu1) disco; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - Use snakeoil certificates.
    - Add an example refresh pattern for debs.
    - Add disabled by default AppArmor profile.
    - d/p/fix-uninitialized-var.patch: Workaround gcc's maybe-unitialized
      error in parse_time_t, triggered on ppc64el due to the build using -O3
      in that architecture.
    - d/rules: Add -Wno-format-truncation to CXXFLAGS as a workaround if
      building for ppc64el. On that arch, dpkg-buildflags sets -O3 instead of
      -O2 and that triggers a format-truncation error on pcon.cc. See
      See https://bugs.squid-cache.org/show_bug.cgi?id=4875
    - d/p/fix-rotate-assertion.patch: Fix assertion error when rotating logs.
      Thanks to Vitaly Lavrov <email address hidden>. (LP #1794553)
  * Drop:
    - d/rules: enable cdbs parallel build
      [Fixed in 4.2-1]
    - d/t/test-squid.py: fix apparmor profile filename
      [Fixed in 4.2-1]
    - d/t/test-squid.py: fix the process name. The PID points at the parent.
      [Fixed in 4.2-1]
    - d/t/upstream-test-suite: also make libmem.la, needed by the tests.
      [Fixed in 4.2-1]
    - d/t/0003-installed-binary-for-debian-ci.patch: use the squid
      binary from the system, instead of the one from the source tree.
      [Fixed in 4.2-1]
    - d/t/upstream-test-suite: drop the sed line, since patch
      0003-installed-binary-for-debian-ci.patch is doing this work now.
      (https://salsa.debian.org/squid-team/squid/commit/ad4372b444ba8b1587839)
      [Fixed in 4.2-1]
  * Added changes:
    - d/rules: Only use -latomic with the intended architectures, instead of
      all of them. This matches what was suggested in
      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907106#5
    - d/NEWS.debian: rename d/NEWS.debian to d/NEWS so that
      dh_installchangelogs can pick it up. dh_installchangelogs handles
      d/NEWS or d/<package>.NEWS, but not NEWS.debian.
    - d/usr.sbin.squid: fix the apparmor profile (LP: #1796189):
      + allow net_admin capability
      + add attach_disconnected flag

squid (4.4-1) unstable; urgency=high

  * Urgency high due to security fixes

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release
    - Fix security issue SQUID-2018:4 (CVE: TBD) (Closes: #912293)
    - Fix security issue SQUID-2018:5 (CVE: TBD) (Closes: #912294)

  [ Luigi Gangitano ]
  * debian/squid.preinst
    - Don't parse /etc/passwd, use getent to make lintian happy

squid (4.3-1) unstable; urgency=low

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release

  * debian/patches/
    - Remove upstream pr264 patch for systemd

  * debian/control
    - Bumped Standards-Version to 4.2.1, no change needed

squid (4.2-2) unstable; urgency=high

  [ Adrian Bunk <email address hidden> ]
  * Add -latomic for rmel m68k mips mipsel powerpc powerpcspe sh4
    (Closes: #907106)

squid (4.2-1) unstable; urgency=high

  [ Amos Jeffries <email address hidden> ]
  * New Upstream Release

  * debian/patches/
    - Patch to use installed binary for upstream config...

Read more...

Changed in squid (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.