Ubuntu
openntpd package

Comment 35 for bug 1727202

Revision history for this message

Robert Dinse (nanook) wrote on 2018-11-27: Re: [Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

#35

I have since upgraded to 18.10 and I don't even see an apparmor profile
for ntp anymore.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Tue, 27 Nov 2018, Seth Arnold wrote:

> Date: Tue, 27 Nov 2018 01:07:37 -0000
> From: Seth Arnold <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name
> lookup - disconnected path
>
> Andrew, you could try adding:
>
> flags=(attach_disconnected)
>
> to the profile attachment line:
>
> /usr/sbin/ntpd flags=(attach_disconnected) {
>
> And add:
>
> /run/systemd/journal/dev-log w,
>
> to the profile, then run:
>
> apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd # or whatever
> the filename is
>
> See if that lets you get useful logs, any new messages in dmesg or
> auditd logs, etc.
>
> Thanks
>
> ** Also affects: openntpd (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1739943).
> https://bugs.launchpad.net/bugs/1727202
>
> Title:
> [17.10 regression] AppArmor ntp denial: Failed name lookup -
> disconnected path
>
> Status in ntp package in Ubuntu:
> Fix Released
> Status in openntpd package in Ubuntu:
> New
> Status in ntp source package in Xenial:
> Invalid
> Status in openntpd source package in Xenial:
> New
> Status in ntp source package in Zesty:
> Invalid
> Status in openntpd source package in Zesty:
> New
> Status in ntp source package in Artful:
> Fix Released
> Status in openntpd source package in Artful:
> New
> Status in ntp source package in Bionic:
> Fix Released
> Status in openntpd source package in Bionic:
> New
>
> Bug description:
> [Impact]
>
> * NTP has new isolation features which makes it trigger apparmor issues.
> * Those apparmor issues not only clutter the log and make other things
>    less readable, they also prevent ntp from reporting its actual
>    messages.
> * Fix is opening the apparmor profile to follow ntp through the
>    disconnect by the isolation feature.
>
> [Test Case]
>
> * This is hard to trigger, but then also not. Which means it is not
>    entirely sorted out when it triggers and when not, but the following
>    does trigger it in tests of Pitti and also mine (while at the same time
>    sometimes it does not - mabye I had other guests or kvm instead of lxd)
>
> * First install ntp in Artful (or above unless fixed)
>    * Install ntp and check demsg for denies
>    * Once an issue triggers instead of the error in syslog you'll see the
>      apparmor Deny like:
>        apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
>        disconnected path" error=-13 profile="/usr/sbin/ntpd"
>        name="run/systemd/journal/dev-log" pid=5600 comm="ntpd"
>        requested_mask="w" denied_mask="w" fsuid=0 ouid=0
>
> [Regression Potential]
>
> * We are slightly opening up the apparmor profile which is far lower risk
>    than adding more constraints. So safe from that POV.
>
> * OTOH one could think this might be a security issue, but in fact this
>    isn't a new suggestion if you take a look at [1] with an ack by Seth of
>    the Security Team.
>
> [Other Info]
>
> * n/a
>
> [1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html
>
> ----
>
> Merely installing and starting ntp.service in Ubuntu 17.10 now causes
> this AppArmor violation:
>
> audit: type=1400 audit(1508915894.215:25): apparmor="DENIED"
> operation="sendmsg" info="Failed name lookup - disconnected path"
> error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log"
> pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
>
> (many times). This hasn't happened in earlier Ubuntu releases yet.
>
> This was spotted by Cockpit's integration tests, as our "ubuntu-
> stable" image now moved to 17.10 after its release.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
> ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
> Uname: Linux 4.13.0-16-generic x86_64
> ApportVersion: 2.20.7-0ubuntu3
> Architecture: amd64
> Date: Wed Oct 25 03:19:34 2017
> SourcePackage: ntp
> UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions
>

I have since upgraded to 18.10 and I don't even see an apparmor profile 
for ntp anymore.

On Tue, 27 Nov 2018, Seth Arnold wrote:

> Date: Tue, 27 Nov 2018 01:07:37 -0000
> From: Seth Arnold <1727202@bugs.launchpad.net>
> To: nanook@eskimo.com
> Subject: [Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name
>      lookup - disconnected path
> 
> Andrew, you could try adding:
>
> flags=(attach_disconnected)
>
> to the profile attachment line:
>
> /usr/sbin/ntpd flags=(attach_disconnected) {
>
> And add:
>
> /run/systemd/journal/dev-log w,
>
> to the profile, then run:
>
> apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd  # or whatever
> the filename is
>
> See if that lets you get useful logs, any new messages in dmesg or
> auditd logs, etc.
>
> Thanks
>
> ** Also affects: openntpd (Ubuntu)
>   Importance: Undecided
>       Status: New
>
> -- 
> You received this bug notification because you are subscribed to a
> duplicate bug report (1739943).
> https://bugs.launchpad.net/bugs/1727202
>
> Title:
>  [17.10 regression] AppArmor ntp denial: Failed name lookup -
>  disconnected path
>
> Status in ntp package in Ubuntu:
>  Fix Released
> Status in openntpd package in Ubuntu:
>  New
> Status in ntp source package in Xenial:
>  Invalid
> Status in openntpd source package in Xenial:
>  New
> Status in ntp source package in Zesty:
>  Invalid
> Status in openntpd source package in Zesty:
>  New
> Status in ntp source package in Artful:
>  Fix Released
> Status in openntpd source package in Artful:
>  New
> Status in ntp source package in Bionic:
>  Fix Released
> Status in openntpd source package in Bionic:
>  New
>
> Bug description:
>  [Impact]
>
>   * NTP has new isolation features which makes it trigger apparmor issues.
>   * Those apparmor issues not only clutter the log and make other things
>     less readable, they also prevent ntp from reporting its actual
>     messages.
>   * Fix is opening the apparmor profile to follow ntp through the
>     disconnect by the isolation feature.
>
>  [Test Case]
>
>   * This is hard to trigger, but then also not. Which means it is not
>     entirely sorted out when it triggers and when not, but the following
>     does trigger it in tests of Pitti and also mine (while at the same time
>     sometimes it does not - mabye I had other guests or kvm instead of lxd)
>
>   * First install ntp in Artful (or above unless fixed)
>     * Install ntp and check demsg for denies
>     * Once an issue triggers instead of the error in syslog you'll see the
>       apparmor Deny like:
>         apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
>         disconnected path" error=-13 profile="/usr/sbin/ntpd"
>         name="run/systemd/journal/dev-log" pid=5600 comm="ntpd"
>         requested_mask="w" denied_mask="w" fsuid=0 ouid=0
>
>  [Regression Potential]
>
>   * We are slightly opening up the apparmor profile which is far lower risk
>     than adding more constraints. So safe from that POV.
>
>   * OTOH one could think this might be a security issue, but in fact this
>     isn't a new suggestion if you take a look at [1] with an ack by Seth of
>     the Security Team.
>
>  [Other Info]
>
>   * n/a
>
>  [1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html
>
>  ----
>
>  Merely installing and starting ntp.service in Ubuntu 17.10 now causes
>  this AppArmor violation:
>
>  audit: type=1400 audit(1508915894.215:25): apparmor="DENIED"
>  operation="sendmsg" info="Failed name lookup - disconnected path"
>  error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log"
>  pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
>
>  (many times). This hasn't happened in earlier Ubuntu releases yet.
>
>  This was spotted by Cockpit's integration tests, as our "ubuntu-
>  stable" image now moved to 17.10 after its release.
>
>  ProblemType: Bug
>  DistroRelease: Ubuntu 17.10
>  Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
>  ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
>  Uname: Linux 4.13.0-16-generic x86_64
>  ApportVersion: 2.20.7-0ubuntu3
>  Architecture: amd64
>  Date: Wed Oct 25 03:19:34 2017
>  SourcePackage: ntp
>  UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions
>

Ubuntuopenntpd package

Comment 35 for bug 1727202

Ubuntu
openntpd package