[Touch-packages] [Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

Thu, 20 Oct 2016 13:08:34 -0700 

This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1

---------------
apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium

  * debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor
    profiles that make use of the nameservice abstraction should be allowed to
    communicate with systemd-resolved over D-Bus. Ubuntu 16.10 systems are
    configured to use nss-resolve which then communicates with
    systemd-resolved's D-Bus API. (LP: #1598759)

 -- Tyler Hicks <[email protected]>  Wed, 12 Oct 2016 01:47:06 +0000

** Changed in: apparmor (Ubuntu Yakkety)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

Status in AppArmor:
  Triaged
Status in apparmor package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
  Invalid
Status in apparmor source package in Yakkety:
  Fix Released
Status in ntp source package in Yakkety:
  Invalid

Bug description:
  [ Impact ]

  Processes confined by AppArmor profiles making use of the nameservice
  AppArmor abstraction are unable to access the systemd-resolved network
  name resolution service. The nsswitch.conf file shipped in Yakkety
  puts the nss-resolve plugin to use which talks to systemd-resolved
  over D-Bus. The D-Bus communication is blocked for the confined
  processes described above and those processes will fallback to the
  traditional means of name resolution.

  [ Test Case ]

  * Use ntpd to test:
    $ sudo apt-get install -y ntp
    ...
    $ sudo systemctl stop ntp

    # in another terminal, watch for AppArmor denials
    $ dmesg -w

    # in the original terminal, start ntp
    $ sudo systemctl start ntp

    # You'll see a number of denials on the system_bus_socket file:
    audit: type=1400 audit(1476240762.854:35): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=3867 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=126 ouid=0

   * Use tcpdump to test:

     # Capture traffic on whichever network interface you're currently using
     $ sudo tcpdump -i eth0

     # Look in /var/log/syslog for denials on the system_bus_socket file:
     audit: type=1400 audit(1476240896.021:40): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/tcpdump" 
name="/run/dbus/system_bus_socket" pid=4106 comm="tcpdump" requested_mask="wr" 
denied_mask="wr" fsuid=0 ouid=0

  In both situations, ntpd and tcpdump will seemingly work as expected
  due to the name resolution fallback configured in nsswitch.conf.
  However, neither confined process will be using systemd-resolved for
  name resolution.

  [ Regression Potential ]

  This fix will allow ntp, tcpdump, cupsd, dhclient, and other confined-
  by-default programs to start using systemd-resolved. There is some
  potential for regression since those applications have not been
  previously using systemd-resolved.

  [ Original bug description ]

  On this plain install of Xenial apparmor complains about ntpd:

  [   19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
  [   20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
  [   22.426246] audit: type=1400 audit(1467623333.434:29): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
  [   22.771326] audit: type=1400 audit(1467623333.782:30): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
  [   23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0

  Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the
  problem:

      #include <abstractions/dbus-strict>

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to