enabled

Debian bugreport Mon, 19 Sep 2022 13:33:16 -0700

Package: bind9
Version: 1:9.18.6-2
Severity: normal
Tags: patch
X-Debbugs-Cc: pkg-apparmor-t...@lists.alioth.debian.org

With apparmor enabled for named, the /var/log/syslog file ends up withallot of unnecessary DENIED messages,as the as read access to/sys/kernel/mm/transparent_hugepage/enabledseems to have accidentally excluded by the hardening.

Restoring the read access seems to resolve the issue, see attached patch.


Examples:

/var/log/syslog:Sep 18 00:45:12 pippi kernel: [568935.135647] audit:type=1400 audit(1663454712.445:191): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=234038 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 01:54:18 pippi kernel: [573081.399636] audit:type=1400 audit(1663458858.813:192): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=235380 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 03:26:40 pippi kernel: [578622.720520] audit:type=1400 audit(1663464400.273:193): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=236920 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 04:42:21 pippi kernel: [583163.451230] audit:type=1400 audit(1663468941.119:194): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=237915 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 05:50:00 pippi kernel: [587222.657447] audit:type=1400 audit(1663473000.425:195): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=239109 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 07:15:15 pippi kernel: [592337.151577] audit:type=1400 audit(1663478115.049:196): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=243061 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 08:42:55 pippi kernel: [597597.185578] audit:type=1400 audit(1663483375.213:197): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=247004 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 09:52:30 pippi kernel: [601772.451830] audit:type=1400 audit(1663487550.586:198): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=248343 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 11:12:27 pippi kernel: [606569.547243] audit:type=1400 audit(1663492347.802:199): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=252396 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 12:25:25 pippi kernel: [610946.891663] audit:type=1400 audit(1663496725.256:200): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=254642 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 13:50:03 pippi kernel: [616024.685028] audit:type=1400 audit(1663501803.180:201): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=257604 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 15:05:34 pippi kernel: [620555.410211] audit:type=1400 audit(1663506334.014:202): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=260179 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 16:37:47 pippi kernel: [626088.694992] audit:type=1400 audit(1663511867.436:203): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=262246 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 18:00:21 pippi kernel: [631042.827598] audit:type=1400 audit(1663516821.692:204): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=264295 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 19:15:41 pippi kernel: [635562.798692] audit:type=1400 audit(1663521341.781:205): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=267350 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 20:43:37 pippi kernel: [640838.555665] audit:type=1400 audit(1663526617.670:206): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=268844 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 21:53:28 pippi kernel: [645029.178793] audit:type=1400 audit(1663530808.399:207): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=270477 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0/var/log/syslog:Sep 18 23:03:19 pippi kernel: [649220.506898] audit:type=1400 audit(1663534999.831:208): apparmor="DENIED" operation="open"profile="named" name="/sys/kernel/mm/transparent_hugepage/enabled" pid=272038 comm="named"requested_mask="r" denied_mask="r" fsuid=0 ouid=0




-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (800, 'testing'), (300, 'unstable')
merged-usr: no
Architecture: amd64 (x86_64)

Kernel: Linux 5.19.0-1-amd64 (SMP w/4 CPU threads; PREEMPT)

Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND,TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULELocale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),LANGUAGE=en_US:en

Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bind9 depends on:
ii adduser 3.128
ii bind9-libs 1:9.18.6-2
ii bind9-utils 1:9.18.6-2
ii cdebconf [debconf-2.0] 0.264
ii debconf [debconf-2.0] 1.5.79
ii dns-root-data 2021011101
ii init-system-helpers 1.64
ii iproute2 5.19.0-1
ii libc6 2.34-7
ii libcap2 1:2.44-1
ii libfstrm0 0.6.1-1
ii libjson-c5 0.16-1
ii liblmdb0 0.9.24-1
ii libmaxminddb0 1.5.2-1
ii libnghttp2-14 1.49.0-1
ii libprotobuf-c1 1.4.1-1
ii libssl3 3.0.5-2
ii libuv1 1.44.2-1
ii libxml2 2.9.14+dfsg-1+b1
ii lsb-base 11.2
ii netbase 6.3
ii zlib1g 1:1.2.11.dfsg-4.1

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn bind-doc <none>
ii bind9-dnsutils [dnsutils] 1:9.18.6-2
ii dnsutils 1:9.18.6-2
pn resolvconf <none>
ii ufw 0.36.1-4

-- Configuration Files:
/etc/apparmor.d/usr.sbin.named changed [not included]
/etc/bind/named.conf changed [not included]
/etc/bind/named.conf.local changed [not included]
/etc/bind/named.conf.options changed [not included]

-- debconf information:
bind9/run-resolvconf: false
bind9/different-configuration-file:
bind9/start-as-user: bind

--
/Stefan B. (bugreporter)

--- /etc/apparmor.d/usr.sbin.named~	2021-11-12 14:24:13.000000000 +0100
+++ /etc/apparmor.d/usr.sbin.named	2022-09-19 21:43:35.092730212 +0200
@@ -13,4 +13,7 @@
   capability sys_resource,
 
+  # named need to check if hugepages is avaiable.
+  /sys/kernel/mm/transparent_hugepage/enabled r,
+
   # /etc/bind should be read-only for bind
   # /var/lib/bind is for dynamically updated zone (and journal) files.

Bug#1020315: bind9: Spams /var/log/syslog with appramor DENIED /sys/kernel/mm/transparent_hugepage/enabled

Reply via email to