[Touch-packages] [Bug 1741227] Re: apparmor denial to several paths to binaries

Wed, 14 Feb 2018 06:52:26 -0800 

Bionic - ok
SRU Template - ok
Debdiff for X/T checked - ok
Tested A upload from ppa - ok.
(This issue in particular doesn't apply to Xenial, so dropping this task)

** No longer affects: ntp (Ubuntu Xenial)

** Changed in: ntp (Ubuntu Artful)
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1741227

Title:
  apparmor denial to several paths to binaries

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to bin directories which the option parsing code 
     of ntp touches.

  [Test Case]

   1. get a container of target release
   2. install ntp
      apt install ntp
   3. watch dmesg on container-host
      dmesg -w
   4. restart ntp in container
      systemctl restart ntp
   => see (or no more after fix) apparmor denie:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * we discussed if this would be a security risk but came to the 
     conclusion that r-only should be ok (the same content anyone can grab 
     from the archive by installing the packages)

  [Other Info]

   * n/a

  Issue shows up (non fatal) as:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0

  Since non crit this is mostyl about many of us being curious why it
  actually does do it :-)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to