Ubuntu
isc-dhcp package

Apparmor Disallows Disabling Dhclient Scripts

  1. Jammy (22.04)
  2. Bug #2011628
Bug #2011628 reported by Brett Holman
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Debian)
New
Unknown
isc-dhcp (Ubuntu)
Fix Released
Medium
Unassigned
Focal
New
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Lunar
Won't Fix
Undecided
Unassigned

Bug Description

In some cases, it may be desirable to disable dhclient scripts. By default /sbin/dhclient-script is used, and some others are allowed by the apparmor profile.

Without Apparmor, disabling hook scripts can be accomplished with flags -sf /bin/true, but with apparmor enabled this gets blocked:

execve (/bin/true, ...): Permission denied

Unfortunately dhclient doesn't appear to provide any other mechanism for disabling hook scripts.

Tags: patch

Related branches

~holmanb/ubuntu/+source/isc-dhcp:ubuntu/devel
git-ubuntu bot: Approve
Robie Basak: Approve
Canonical Server Reporter: Pending requested
Canonical Server Core Reviewers: Pending requested
Diff: 29 lines (+10/-0)
2 files modified
debian/apparmor/sbin.dhclient (+4/-0)
debian/changelog (+6/-0)
Revision history for this message
Brett Holman (holmanb) wrote :

Debdiff in the attached enables dhclient to execute dhclient with -sf /bin/true

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "isc-dhcp-apparmor-scripts-disable-fix.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Robie Basak (racb) wrote :

I wondered if this needed an FFe, but then I considered that we're fixing an Apparmor profile to do what the command would allow anyway, and I think that fixing Apparmor profiles is not something that generally would violate feature freeze. So I'm not bothering the release team with this one and am instead documenting why :-)

Changed in isc-dhcp (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Bug Watch Updater (bug-watch-updater)
Changed in isc-dhcp (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.4.3-P1-1ubuntu2

---------------
isc-dhcp (4.4.3-P1-1ubuntu2) mantic; urgency=medium

  * debian/apparmor/sbin.dhclient: Allow disabling dhclient hooks. LP: #2011628

 -- Brett Holman <email address hidden> Fri, 17 Mar 2023 15:38:35 -0600

Changed in isc-dhcp (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

As reported in 2031398 this problem causes log-noise by apparmor denying it in older releases.
Gladly the impact is just the log (dhclient still works), but the change to the apparmor profile should be SRUed to avoid that.

Revision history for this message
Brett Holman (holmanb) wrote :

This was fixed in ubuntu maintic, but not yet SRU'd to focal, jammy, or lunar since this "fix" just eliminates harmless warnings, which is not worth backporting to old releases.

Cloud-init users that see warnings due to apparmor such as

execve (/bin/true, ...): Permission denied

due to apparmor blocking execution of /bin/true may be concerned about problems associated with this error, but rest assured that apparmor blocking /bin/true accomplishes the same thing as apparmor allowing /bin/true (no side-effects are allowed by hook scripts), so this warning is just noise and can be safely ignored.

Cloud-init users on these releases that wish to see no apparmour warnings might locally include this rule themselves via:

echo " /bin/true Uxr," > /etc/apparmor.d/local/sbin.dhclient

Revision history for this message
Steve Langasek (vorlon) wrote :

This bubbled back up in the sponsorship queue due to the recent comment activity. However, you say:

> this "fix" just eliminates harmless warnings, which is not worth backporting to old releases.

It appears there is nothing here to be sponsored currently, so I am unsubscribing the ubuntu-sponsors team. Please resubscribe us if that changes.

Revision history for this message
Steve Langasek (vorlon) wrote :

Actually, it popped back up in our queue because Christian had targeted the bug to the stable releases - not because of the comment activity. In any case, nothing currently here for sponsorship.

Revision history for this message
Tired Sysadmin (wearyofallthiscrap) wrote (last edit ):

> Cloud-init users on these releases that wish to see no apparmour warnings might locally include this rule themselves via:
>
> echo " /bin/true Uxr," > /etc/apparmor.d/local/sbin.dhclient

Note for other users finding their way here via googling for error messages: On jammy (22.04) at least, you will need to account for /bin being a symlink to /usr/bin, and thus the line becomes (following the standard brace syntax and also the ordering conventions in the default apparmor profiles):

echo ' /{,usr/}bin/true Uxr,' > /etc/apparmor.d/local/sbin.dhclient

This will silence the execve warnings in 22.04.

Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 23.04 (Lunar Lobster) has reached end of life, so this bug will not be fixed for that specific release.

Changed in isc-dhcp (Ubuntu Lunar):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.