2017-10-25 07:23:46 |
Martin Pitt |
bug |
|
|
added bug |
2017-10-25 07:24:08 |
Martin Pitt |
tags |
amd64 apparmor apport-bug artful |
amd64 apparmor apport-bug artful regression-release |
|
2017-10-25 14:44:53 |
Launchpad Janitor |
ntp (Ubuntu): status |
New |
Confirmed |
|
2017-10-25 14:45:40 |
Nikolay Shopik |
bug |
|
|
added subscriber Nikolay Shopik |
2017-10-31 19:26:23 |
Aaron Sells |
bug |
|
|
added subscriber Aaron Sells |
2017-12-08 12:42:17 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server Team |
2017-12-08 12:42:31 |
Christian Ehrhardt |
tags |
amd64 apparmor apport-bug artful regression-release |
amd64 apparmor apport-bug artful regression-release server-next |
|
2017-12-08 12:43:16 |
Christian Ehrhardt |
ntp (Ubuntu): status |
Confirmed |
Triaged |
|
2017-12-11 16:48:08 |
Sebastien Bacher |
bug |
|
|
added subscriber Ubuntu Security Team |
2017-12-13 15:27:54 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Artful |
|
2017-12-13 15:27:54 |
Christian Ehrhardt |
bug task added |
|
ntp (Ubuntu Artful) |
|
2017-12-13 15:27:54 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Bionic |
|
2017-12-13 15:27:54 |
Christian Ehrhardt |
bug task added |
|
ntp (Ubuntu Bionic) |
|
2017-12-13 15:38:02 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/ntp/+git/ntp/+merge/335147 |
|
2017-12-13 15:56:23 |
Christian Ehrhardt |
ntp (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2017-12-13 17:10:58 |
Simon Déziel |
bug |
|
|
added subscriber Simon Déziel |
2017-12-16 23:26:04 |
Launchpad Janitor |
ntp (Ubuntu Artful): status |
New |
Confirmed |
|
2017-12-18 11:53:58 |
Launchpad Janitor |
ntp (Ubuntu Bionic): status |
Triaged |
Fix Released |
|
2017-12-18 12:10:25 |
Christian Ehrhardt |
ntp (Ubuntu Artful): status |
Confirmed |
Triaged |
|
2017-12-18 12:17:19 |
Christian Ehrhardt |
description |
Merely installing and starting ntp.service in Ubuntu 17.10 now causes this AppArmor violation:
audit: type=1400 audit(1508915894.215:25): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
(many times). This hasn't happened in earlier Ubuntu releases yet.
This was spotted by Cockpit's integration tests, as our "ubuntu-stable" image now moved to 17.10 after its release.
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
Date: Wed Oct 25 03:19:34 2017
SourcePackage: ntp
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* This is hard to trigger, but then also not. Which means it is not
entirely sorted out when it triggers and when not, but the following
does trigger it in tests of Pitti and also mine (while at the same time
sometimes it does not - mabye I had other guests or kvm instead of lxd)
* First install ntp in Artful (or above unless fixed)
* Then you have to cause soemthing that ntp "needs" to complain about
in my case I had spawned more virtual guests and NTP failed to bind
on their virtual interface, but you could setup anything else that it
fails on after the initial start (there it passed over to private
TMP)
* Once an issue triggers instead of the error in syslog you'll see the
apparmor Deny like:
apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/sbin/ntpd"
name="run/systemd/journal/dev-log" pid=5600 comm="ntpd"
requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[Regression Potential]
* We are slightly opening up the apparmor profile which is far lower risk
than adding more constraints. So safe from that POV.
* OTOH one could think this might be a security issue, but in fact this
isn't a new suggestion if you take a look at [1] with an ack by Seth of
the Security Team.
[Other Info]
* n/a
[1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html
----
Merely installing and starting ntp.service in Ubuntu 17.10 now causes this AppArmor violation:
audit: type=1400 audit(1508915894.215:25): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
(many times). This hasn't happened in earlier Ubuntu releases yet.
This was spotted by Cockpit's integration tests, as our "ubuntu-stable" image now moved to 17.10 after its release.
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
Date: Wed Oct 25 03:19:34 2017
SourcePackage: ntp
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2017-12-18 12:20:43 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/ntp/+git/ntp/+merge/335314 |
|
2017-12-19 07:37:09 |
Christian Ehrhardt |
description |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* This is hard to trigger, but then also not. Which means it is not
entirely sorted out when it triggers and when not, but the following
does trigger it in tests of Pitti and also mine (while at the same time
sometimes it does not - mabye I had other guests or kvm instead of lxd)
* First install ntp in Artful (or above unless fixed)
* Then you have to cause soemthing that ntp "needs" to complain about
in my case I had spawned more virtual guests and NTP failed to bind
on their virtual interface, but you could setup anything else that it
fails on after the initial start (there it passed over to private
TMP)
* Once an issue triggers instead of the error in syslog you'll see the
apparmor Deny like:
apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/sbin/ntpd"
name="run/systemd/journal/dev-log" pid=5600 comm="ntpd"
requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[Regression Potential]
* We are slightly opening up the apparmor profile which is far lower risk
than adding more constraints. So safe from that POV.
* OTOH one could think this might be a security issue, but in fact this
isn't a new suggestion if you take a look at [1] with an ack by Seth of
the Security Team.
[Other Info]
* n/a
[1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html
----
Merely installing and starting ntp.service in Ubuntu 17.10 now causes this AppArmor violation:
audit: type=1400 audit(1508915894.215:25): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
(many times). This hasn't happened in earlier Ubuntu releases yet.
This was spotted by Cockpit's integration tests, as our "ubuntu-stable" image now moved to 17.10 after its release.
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
Date: Wed Oct 25 03:19:34 2017
SourcePackage: ntp
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
* NTP has new isolation features which makes it trigger apparmor issues.
* Those apparmor issues not only clutter the log and make other things
less readable, they also prevent ntp from reporting its actual
messages.
* Fix is opening the apparmor profile to follow ntp through the
disconnect by the isolation feature.
[Test Case]
* This is hard to trigger, but then also not. Which means it is not
entirely sorted out when it triggers and when not, but the following
does trigger it in tests of Pitti and also mine (while at the same time
sometimes it does not - mabye I had other guests or kvm instead of lxd)
* First install ntp in Artful (or above unless fixed)
* Then you have to cause soemthing that ntp "needs" to complain about
in my case I had spawned more virtual guests and NTP failed to bind
on their virtual interface, but you could setup anything else that it
fails on after the initial start (there it passed over to private
TMP)
* Once an issue triggers instead of the error in syslog you'll see the
apparmor Deny like:
apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/sbin/ntpd"
name="run/systemd/journal/dev-log" pid=5600 comm="ntpd"
requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[Regression Potential]
* We are slightly opening up the apparmor profile which is far lower risk
than adding more constraints. So safe from that POV.
* OTOH one could think this might be a security issue, but in fact this
isn't a new suggestion if you take a look at [1] with an ack by Seth of
the Security Team.
[Other Info]
* n/a
[1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html
----
Merely installing and starting ntp.service in Ubuntu 17.10 now causes this AppArmor violation:
audit: type=1400 audit(1508915894.215:25): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
(many times). This hasn't happened in earlier Ubuntu releases yet.
This was spotted by Cockpit's integration tests, as our "ubuntu-stable" image now moved to 17.10 after its release.
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
Date: Wed Oct 25 03:19:34 2017
SourcePackage: ntp
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2017-12-19 09:19:34 |
Christian Ehrhardt |
description |
[Impact]
* NTP has new isolation features which makes it trigger apparmor issues.
* Those apparmor issues not only clutter the log and make other things
less readable, they also prevent ntp from reporting its actual
messages.
* Fix is opening the apparmor profile to follow ntp through the
disconnect by the isolation feature.
[Test Case]
* This is hard to trigger, but then also not. Which means it is not
entirely sorted out when it triggers and when not, but the following
does trigger it in tests of Pitti and also mine (while at the same time
sometimes it does not - mabye I had other guests or kvm instead of lxd)
* First install ntp in Artful (or above unless fixed)
* Then you have to cause soemthing that ntp "needs" to complain about
in my case I had spawned more virtual guests and NTP failed to bind
on their virtual interface, but you could setup anything else that it
fails on after the initial start (there it passed over to private
TMP)
* Once an issue triggers instead of the error in syslog you'll see the
apparmor Deny like:
apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/sbin/ntpd"
name="run/systemd/journal/dev-log" pid=5600 comm="ntpd"
requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[Regression Potential]
* We are slightly opening up the apparmor profile which is far lower risk
than adding more constraints. So safe from that POV.
* OTOH one could think this might be a security issue, but in fact this
isn't a new suggestion if you take a look at [1] with an ack by Seth of
the Security Team.
[Other Info]
* n/a
[1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html
----
Merely installing and starting ntp.service in Ubuntu 17.10 now causes this AppArmor violation:
audit: type=1400 audit(1508915894.215:25): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
(many times). This hasn't happened in earlier Ubuntu releases yet.
This was spotted by Cockpit's integration tests, as our "ubuntu-stable" image now moved to 17.10 after its release.
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
Date: Wed Oct 25 03:19:34 2017
SourcePackage: ntp
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
* NTP has new isolation features which makes it trigger apparmor issues.
* Those apparmor issues not only clutter the log and make other things
less readable, they also prevent ntp from reporting its actual
messages.
* Fix is opening the apparmor profile to follow ntp through the
disconnect by the isolation feature.
[Test Case]
* This is hard to trigger, but then also not. Which means it is not
entirely sorted out when it triggers and when not, but the following
does trigger it in tests of Pitti and also mine (while at the same time
sometimes it does not - mabye I had other guests or kvm instead of lxd)
* First install ntp in Artful (or above unless fixed)
* Install ntp and check demsg for denies
* Once an issue triggers instead of the error in syslog you'll see the
apparmor Deny like:
apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="/usr/sbin/ntpd"
name="run/systemd/journal/dev-log" pid=5600 comm="ntpd"
requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[Regression Potential]
* We are slightly opening up the apparmor profile which is far lower risk
than adding more constraints. So safe from that POV.
* OTOH one could think this might be a security issue, but in fact this
isn't a new suggestion if you take a look at [1] with an ack by Seth of
the Security Team.
[Other Info]
* n/a
[1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html
----
Merely installing and starting ntp.service in Ubuntu 17.10 now causes this AppArmor violation:
audit: type=1400 audit(1508915894.215:25): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
(many times). This hasn't happened in earlier Ubuntu releases yet.
This was spotted by Cockpit's integration tests, as our "ubuntu-stable" image now moved to 17.10 after its release.
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
Date: Wed Oct 25 03:19:34 2017
SourcePackage: ntp
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2017-12-19 10:20:14 |
Christian Ehrhardt |
ntp (Ubuntu Artful): status |
Triaged |
In Progress |
|
2017-12-21 00:40:17 |
Brian Murray |
ntp (Ubuntu Artful): status |
In Progress |
Fix Committed |
|
2017-12-21 00:40:19 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-12-21 00:40:23 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2017-12-21 00:40:27 |
Brian Murray |
tags |
amd64 apparmor apport-bug artful regression-release server-next |
amd64 apparmor apport-bug artful regression-release server-next verification-needed verification-needed-artful |
|
2017-12-21 06:36:24 |
Christian Ehrhardt |
bug |
|
|
added subscriber ChristianEhrhardt |
2017-12-28 12:28:57 |
Paul M |
summary |
[17.10 regression] AppArmor denial: Failed name lookup - disconnected path |
[17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path |
|
2018-01-02 08:19:01 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Zesty |
|
2018-01-02 08:19:01 |
Christian Ehrhardt |
bug task added |
|
ntp (Ubuntu Zesty) |
|
2018-01-02 08:19:01 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Xenial |
|
2018-01-02 08:19:01 |
Christian Ehrhardt |
bug task added |
|
ntp (Ubuntu Xenial) |
|
2018-01-02 08:47:52 |
Christian Ehrhardt |
ntp (Ubuntu Xenial): status |
New |
Invalid |
|
2018-01-02 08:47:53 |
Christian Ehrhardt |
ntp (Ubuntu Zesty): status |
New |
Invalid |
|
2018-01-03 08:17:33 |
Martin Pitt |
tags |
amd64 apparmor apport-bug artful regression-release server-next verification-needed verification-needed-artful |
amd64 apparmor apport-bug artful regression-release server-next verification-done-artful verification-needed |
|
2018-01-03 13:55:46 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2018-01-03 14:05:49 |
Launchpad Janitor |
ntp (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
2018-11-27 01:07:50 |
Seth Arnold |
bug task added |
|
openntpd (Ubuntu) |
|
2019-05-03 01:57:31 |
Launchpad Janitor |
openntpd (Ubuntu): status |
New |
Confirmed |
|
2019-05-03 01:57:31 |
Launchpad Janitor |
openntpd (Ubuntu Xenial): status |
New |
Confirmed |
|
2019-05-03 01:57:31 |
Launchpad Janitor |
openntpd (Ubuntu Zesty): status |
New |
Confirmed |
|
2019-05-03 01:57:31 |
Launchpad Janitor |
openntpd (Ubuntu Artful): status |
New |
Confirmed |
|
2019-05-03 01:57:31 |
Launchpad Janitor |
openntpd (Ubuntu Bionic): status |
New |
Confirmed |
|
2019-05-18 02:46:23 |
Mathew Hodson |
bug task deleted |
ntp (Ubuntu Xenial) |
|
|
2019-05-18 02:46:32 |
Mathew Hodson |
bug task deleted |
ntp (Ubuntu Zesty) |
|
|
2019-05-18 02:46:41 |
Mathew Hodson |
bug task deleted |
openntpd (Ubuntu Xenial) |
|
|
2019-05-18 02:46:50 |
Mathew Hodson |
bug task deleted |
openntpd (Ubuntu Zesty) |
|
|
2019-05-18 02:47:37 |
Mathew Hodson |
openntpd (Ubuntu Artful): status |
Confirmed |
Won't Fix |
|
2019-07-03 13:22:56 |
Christian Ehrhardt |
openntpd (Ubuntu): status |
Confirmed |
Incomplete |
|
2019-07-03 13:22:58 |
Christian Ehrhardt |
openntpd (Ubuntu Bionic): status |
Confirmed |
Won't Fix |
|
2019-07-03 13:23:04 |
Christian Ehrhardt |
openntpd (Ubuntu): importance |
Undecided |
Low |
|
2019-07-03 13:23:17 |
Christian Ehrhardt |
tags |
amd64 apparmor apport-bug artful regression-release server-next verification-done-artful verification-needed |
amd64 apparmor apport-bug artful regression-release verification-done-artful verification-needed |
|