[apparmor] allow reading squid binary

Bug #1792728 reported by Simon Déziel on 2018-09-15
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squid (Ubuntu)
Undecided
Unassigned
Cosmic
Undecided
Unassigned
squid3 (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

[Impact]

 * Squid ships with a (default disable) apparmor profile

 * In the current configuration this is blocking squid from working
   correctly (profile was created for an older version)

 * But the access that breaks it is not security critical and can be
   allowed, so the fix is adapting the profile to do so.

[Test Case]

  * See the nice "steps to reproduce" just below added by the reporter
    when filing the bug initially

[Regression Potential]

 * Opening up an apparmor rule ever so slightly, I can't see a
   reasonable regression potential doing so.

[Other Info]

 * n/a

---

Problem description:

Running squid in a container with a host using Bionic's kernel fails if squid's apparmor profile is enabled. The denial messages is:

Sep 15 13:28:34 simon-laptop kernel: audit: type=1400 audit(1537032514.528:312): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-foo_<var-snap-lxd-common-lxd>" profile="/usr/sbin/squid" name="/usr/sbin/squid" pid=12177 comm="squid" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

Steps to reproduce:

Create a container named foo:
$ lxc launch ubuntu-daily:cosmic foo

Install squid:
$ lxc exec foo -- apt-get install -y squid

Confirm it's running fine:
$ lxc exec foo -- ps aux| grep squid
root 1012 0.0 0.0 68120 2320 ? Ss 17:46 0:00 /usr/sbin/squid -YC -f /etc/squid/squid.conf
proxy 1015 0.0 0.0 108236 22068 ? S 17:46 0:00 (squid-1) -YC -f /etc/squid/squid.conf
proxy 1022 0.0 0.0 5736 1352 ? S 17:46 0:00 (logfile-daemon) /var/log/squid/access.log

Enable Apparmor profile (disabled by default):
$ lxc exec foo -- rm /etc/apparmor.d/disable/usr.sbin.squid
$ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.squid
$ lxc exec foo -- service squid restart

Check if squid is still running:
$ lxc exec foo -- ps aux| grep squid

It is not running anymore and looking at the host's journalctl, we see an Apparmor denial message:
$ journalctl -o cat -k | tail -n1
audit: type=1400 audit(1537033754.195:348): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-foo_<var-snap-lxd-common-lxd>" profile="/usr/sbin/squid" name="/usr/sbin/squid" pid=26039 comm="squid" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

A workaround is to allow read access to the binary.

Workaround:
$ lxc exec foo -- sed -i 's/squid ix,$/squid rix,/' /etc/apparmor.d/usr.sbin.squid
$ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.squid
$ lxc exec foo -- service squid restart

Check if squid started fine this time:

$ lxc exec foo -- ps aux| grep squid
root 1283 0.0 0.0 68120 2320 ? Ss 17:53 0:00 /usr/sbin/squid -YC -f /etc/squid/squid.conf
proxy 1285 0.0 0.0 108240 22140 ? S 17:53 0:00 (squid-1) -YC -f /etc/squid/squid.conf
proxy 1286 0.0 0.0 5736 1304 ? S 17:53 0:00 (logfile-daemon) /var/log/squid/access.log

Additional information:

$ lxc exec foo -- lsb_release -rd
Description: Ubuntu Cosmic Cuttlefish (development branch)
Release: 18.10
$ lxc exec foo -- apt-cache policy squid
squid:
  Installed: 3.5.27-1ubuntu1
  Candidate: 3.5.27-1ubuntu1
  Version table:
 *** 3.5.27-1ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status

Note: the problem also exists on Bionic so once Cosmic will be fixed, a SRU to Bionic would be nice.

Related branches

Since the profile does not exist in Debian there isn't much upstreaming to do for the time being.
We can track migration into cosmic now and then consider an SRU.

Simon Déziel (sdeziel) wrote :

Thanks Christian, you help is always much appreciated as always!

Simon Déziel (sdeziel) wrote :

All the builds failed presumably due to stricter gcc checks [-Werror=class-memaccess]. Let me know if there is anything I should be doing to get this fixed properly.

Simon Déziel (sdeziel) wrote :

I just confirmed that Cosmic's version works:

$ lxc exec foo -- apt-cache policy squid
squid:
  Installed: 4.1-1ubuntu2
  Candidate: 4.1-1ubuntu2
  Version table:
 *** 4.1-1ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        100 /var/lib/dpkg/status

@cpaelzer, would now be a good time to start the SRU process to Bionic?

Yeah sorry for the delay Simon, due to the hickup of the squid3 fix clashing with the squid4 upload that finally was passing NEW queue and all that this got lost.

Yes now'd be a good time to start this.

But first lets mark the bug accordingly to its current state.
Due to the bug being fixed for src:squid and not the old src:squid3 the update got lost.

no longer affects: squid (Ubuntu Bionic)
no longer affects: squid3 (Ubuntu Cosmic)
Changed in squid3 (Ubuntu):
status: New → Invalid
Changed in squid3 (Ubuntu Bionic):
status: New → Triaged
Changed in squid (Ubuntu Cosmic):
status: New → Fix Released

I carried your change between the repos (it is a trivial change after all) and opened an MP for it.
=> https://code.launchpad.net/~paelzer/ubuntu/+source/squid3/+git/squid3/+merge/355816

description: updated

Also added a SRU Template to fulfill the process along all of this.

Simon Déziel (sdeziel) wrote :

Thanks for the template and the PPA build for Bionic. 3.5.27-1ubuntu1.1 from the PPA tested fine.

Andreas Hasenack (ahasenack) wrote :

Uploaded to bionic-proposed, waiting for SRU team approval.

Changed in squid3 (Ubuntu Bionic):
status: Triaged → In Progress

Hello Simon, or anyone else affected,

Accepted squid3 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in squid3 (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Simon Déziel (sdeziel) wrote :

Verification with bionic-proposed's version 3.5.27-1ubuntu1.1 went well. Thanks!

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic

The verification of the Stable Release Update for squid3 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid3 - 3.5.27-1ubuntu1.1

---------------
squid3 (3.5.27-1ubuntu1.1) bionic; urgency=medium

  [ Simon Deziel ]
  * d/usr.sbin.squid: Update apparmor profile to grant read access to squid
    binary (LP: #1792728)

 -- Christian Ehrhardt <email address hidden> Fri, 28 Sep 2018 09:09:50 +0200

Changed in squid3 (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers