I have since upgraded to 18.10 and I don't even see an apparmor profile
for ntp anymore.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.
On Tue, 27 Nov 2018, Seth Arnold wrote:
> Date: Tue, 27 Nov 2018 01:07:37 -0000
> From: Seth Arnold <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name
> lookup - disconnected path
>
> Andrew, you could try adding:
>
> flags=(attach_disconnected)
>
> to the profile attachment line:
>
> /usr/sbin/ntpd flags=(attach_disconnected) {
>
> And add:
>
> /run/systemd/journal/dev-log w,
>
> to the profile, then run:
>
> apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd # or whatever
> the filename is
>
> See if that lets you get useful logs, any new messages in dmesg or
> auditd logs, etc.
>
> Thanks
>
> ** Also affects: openntpd (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1739943).
> https://bugs.launchpad.net/bugs/1727202
>
> Title:
> [17.10 regression] AppArmor ntp denial: Failed name lookup -
> disconnected path
>
> Status in ntp package in Ubuntu:
> Fix Released
> Status in openntpd package in Ubuntu:
> New
> Status in ntp source package in Xenial:
> Invalid
> Status in openntpd source package in Xenial:
> New
> Status in ntp source package in Zesty:
> Invalid
> Status in openntpd source package in Zesty:
> New
> Status in ntp source package in Artful:
> Fix Released
> Status in openntpd source package in Artful:
> New
> Status in ntp source package in Bionic:
> Fix Released
> Status in openntpd source package in Bionic:
> New
>
> Bug description:
> [Impact]
>
> * NTP has new isolation features which makes it trigger apparmor issues.
> * Those apparmor issues not only clutter the log and make other things
> less readable, they also prevent ntp from reporting its actual
> messages.
> * Fix is opening the apparmor profile to follow ntp through the
> disconnect by the isolation feature.
>
> [Test Case]
>
> * This is hard to trigger, but then also not. Which means it is not
> entirely sorted out when it triggers and when not, but the following
> does trigger it in tests of Pitti and also mine (while at the same time
> sometimes it does not - mabye I had other guests or kvm instead of lxd)
>
> * First install ntp in Artful (or above unless fixed)
> * Install ntp and check demsg for denies
> * Once an issue triggers instead of the error in syslog you'll see the
> apparmor Deny like:
> apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
> disconnected path" error=-13 profile="/usr/sbin/ntpd"
> name="run/systemd/journal/dev-log" pid=5600 comm="ntpd"
> requested_mask="w" denied_mask="w" fsuid=0 ouid=0
>
> [Regression Potential]
>
> * We are slightly opening up the apparmor profile which is far lower risk
> than adding more constraints. So safe from that POV.
>
> * OTOH one could think this might be a security issue, but in fact this
> isn't a new suggestion if you take a look at [1] with an ack by Seth of
> the Security Team.
>
> [Other Info]
>
> * n/a
>
> [1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html
>
> ----
>
> Merely installing and starting ntp.service in Ubuntu 17.10 now causes
> this AppArmor violation:
>
> audit: type=1400 audit(1508915894.215:25): apparmor="DENIED"
> operation="sendmsg" info="Failed name lookup - disconnected path"
> error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log"
> pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
>
> (many times). This hasn't happened in earlier Ubuntu releases yet.
>
> This was spotted by Cockpit's integration tests, as our "ubuntu-
> stable" image now moved to 17.10 after its release.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
> ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
> Uname: Linux 4.13.0-16-generic x86_64
> ApportVersion: 2.20.7-0ubuntu3
> Architecture: amd64
> Date: Wed Oct 25 03:19:34 2017
> SourcePackage: ntp
> UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions
>
I have since upgraded to 18.10 and I don't even see an apparmor profile
for ntp anymore.
-_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _-_-_-_ -_-_-_- _- www.eskimo. com/ (206) 812-0051 or (800) 246-6874.
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://
On Tue, 27 Nov 2018, Seth Arnold wrote:
> Date: Tue, 27 Nov 2018 01:07:37 -0000 attach_ disconnected) attach_ disconnected) { journal/ dev-log w, d/usr.sbin. ntpd # or whatever /bugs.launchpad .net/bugs/ 1727202 "/usr/sbin/ ntpd" systemd/ journal/ dev-log" pid=5600 comm="ntpd" /lists. ubuntu. com/archives/ apparmor/ 2015-May/ 007858. html 4.215:25) : apparmor="DENIED" "/usr/sbin/ ntpd" name="run/ systemd/ journal/ dev-log" dfsg-5ubuntu3 ature: Ubuntu 4.13.0- 16.19-generic 4.13.4 /bugs.launchpad .net/ubuntu/ +source/ ntp/+bug/ 1727202/ +subscriptions
> From: Seth Arnold <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name
> lookup - disconnected path
>
> Andrew, you could try adding:
>
> flags=(
>
> to the profile attachment line:
>
> /usr/sbin/ntpd flags=(
>
> And add:
>
> /run/systemd/
>
> to the profile, then run:
>
> apparmor_parser --replace /etc/apparmor.
> the filename is
>
> See if that lets you get useful logs, any new messages in dmesg or
> auditd logs, etc.
>
> Thanks
>
> ** Also affects: openntpd (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1739943).
> https:/
>
> Title:
> [17.10 regression] AppArmor ntp denial: Failed name lookup -
> disconnected path
>
> Status in ntp package in Ubuntu:
> Fix Released
> Status in openntpd package in Ubuntu:
> New
> Status in ntp source package in Xenial:
> Invalid
> Status in openntpd source package in Xenial:
> New
> Status in ntp source package in Zesty:
> Invalid
> Status in openntpd source package in Zesty:
> New
> Status in ntp source package in Artful:
> Fix Released
> Status in openntpd source package in Artful:
> New
> Status in ntp source package in Bionic:
> Fix Released
> Status in openntpd source package in Bionic:
> New
>
> Bug description:
> [Impact]
>
> * NTP has new isolation features which makes it trigger apparmor issues.
> * Those apparmor issues not only clutter the log and make other things
> less readable, they also prevent ntp from reporting its actual
> messages.
> * Fix is opening the apparmor profile to follow ntp through the
> disconnect by the isolation feature.
>
> [Test Case]
>
> * This is hard to trigger, but then also not. Which means it is not
> entirely sorted out when it triggers and when not, but the following
> does trigger it in tests of Pitti and also mine (while at the same time
> sometimes it does not - mabye I had other guests or kvm instead of lxd)
>
> * First install ntp in Artful (or above unless fixed)
> * Install ntp and check demsg for denies
> * Once an issue triggers instead of the error in syslog you'll see the
> apparmor Deny like:
> apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
> disconnected path" error=-13 profile=
> name="run/
> requested_mask="w" denied_mask="w" fsuid=0 ouid=0
>
> [Regression Potential]
>
> * We are slightly opening up the apparmor profile which is far lower risk
> than adding more constraints. So safe from that POV.
>
> * OTOH one could think this might be a security issue, but in fact this
> isn't a new suggestion if you take a look at [1] with an ack by Seth of
> the Security Team.
>
> [Other Info]
>
> * n/a
>
> [1]: https:/
>
> ----
>
> Merely installing and starting ntp.service in Ubuntu 17.10 now causes
> this AppArmor violation:
>
> audit: type=1400 audit(150891589
> operation="sendmsg" info="Failed name lookup - disconnected path"
> error=-13 profile=
> pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
>
> (many times). This hasn't happened in earlier Ubuntu releases yet.
>
> This was spotted by Cockpit's integration tests, as our "ubuntu-
> stable" image now moved to 17.10 after its release.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: ntp 1:4.2.8p10+
> ProcVersionSign
> Uname: Linux 4.13.0-16-generic x86_64
> ApportVersion: 2.20.7-0ubuntu3
> Architecture: amd64
> Date: Wed Oct 25 03:19:34 2017
> SourcePackage: ntp
> UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https:/
>