Your message dated Wed, 30 Aug 2023 12:35:29 +0300 with message-id <[email protected]> and subject line Re: Bug#1029197: ip-transparent: yes is blocked by apparmor has caused the Debian Bug report #1029197, regarding ip-transparent: yes is blocked by apparmor to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1029197: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029197 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: unbound Version: 1.17.0-1 Severity: normal Tags: patch Dear Maintainer, * What led up to the situation? I wanted to configure a static IPv6 address in unbound, but that is not (always) available when booting the system. Therefor I enabled ip-transparent in the server section. * What exactly did you do (or not do) that was effective (or ineffective)? When I enabled 'ip-transparent: yes' in the server section, apparmor blocked some capabilities when restarting unbound. Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:65): apparmor="DENIED" operation="capable" profile="unbound" pid=1072585 comm="unbound" capability=13 capname="net_raw" Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:66): apparmor="DENIED" operation="capable" profile="unbound" pid=1072585 comm="unbound" capability=12 capname="net_admin" * What outcome did you expect instead? I would have expected that unbound would not be blocked by apparmor and would be able to use the ip-transparent option without issue. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.0.0-4-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages unbound depends on: ii adduser 3.130 ii init-system-helpers 1.65.2 ii libc6 2.36-8 ii libevent-2.1-7 2.1.12-stable-5+b1 ii libnghttp2-14 1.51.0-1 ii libprotobuf-c1 1.4.1-1+b1 ii libpython3.10 3.10.9-1 ii libssl3 3.0.7-1 ii libsystemd0 252.4-1 ii lsb-base 11.5 ii sysvinit-utils [lsb-base] 3.06-2 Versions of packages unbound recommends: ii dns-root-data 2023010101 Versions of packages unbound suggests: ii apparmor 3.0.8-1 ii openssl 3.0.7-1 -- no debconf informationContent-Type: multipart/mixed; boundary="===============4881449298252092416==" MIME-Version: 1.0 From: TigerP <[email protected]> To: Debian Bug Tracking System <[email protected]> Subject: ip-transparent: yes is blocked by apparmor Bcc: TigerP <[email protected]> Message-ID: <167413411988.1072823.1845641849211757387.report...@melaine.andor.aybara.org> X-Mailer: reportbug 11.6.0 Date: Thu, 19 Jan 2023 14:15:19 +0100 This is a multi-part MIME message sent by reportbug. --===============4881449298252092416== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline Package: unbound Version: 1.17.0-1 Severity: normal Tags: patch Dear Maintainer, * What led up to the situation? I wanted to configure a static IPv6 address in unbound, but that is not (always) available when booting the system. Therefor I enabled ip-transparent in the server section. * What exactly did you do (or not do) that was effective (or ineffective)? When I enabled 'ip-transparent: yes' in the server section, apparmor blocked some capabilities when restarting unbound. Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:65): apparmor="DENIED" operation="capable" profile="unbound" pid=1072585 comm="unbound" capability=13 capname="net_raw" Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:66): apparmor="DENIED" operation="capable" profile="unbound" pid=1072585 comm="unbound" capability=12 capname="net_admin" * What outcome did you expect instead? I would have expected that unbound would not be blocked by apparmor and would be able to use the ip-transparent option without issue. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.0.0-4-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages unbound depends on: ii adduser 3.130 ii init-system-helpers 1.65.2 ii libc6 2.36-8 ii libevent-2.1-7 2.1.12-stable-5+b1 ii libnghttp2-14 1.51.0-1 ii libprotobuf-c1 1.4.1-1+b1 ii libpython3.10 3.10.9-1 ii libssl3 3.0.7-1 ii libsystemd0 252.4-1 ii lsb-base 11.5 ii sysvinit-utils [lsb-base] 3.06-2 Versions of packages unbound recommends: ii dns-root-data 2023010101 Versions of packages unbound suggests: ii apparmor 3.0.8-1 ii openssl 3.0.7-1 -- no debconf information --===============4881449298252092416== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="unbound_apparmor_ip-transparancy.patch" --- usr.sbin.unbound.orig 2023-01-19 14:12:38.624603236 +0100 +++ usr.sbin.unbound 2023-01-19 14:13:55.721989871 +0100 @@ -21,6 +21,9 @@ capability setuid, capability sys_chroot, capability sys_resource, + # Added for ip-transparancy option + capability net_raw, + capability net_admin, # root hints from dns-data-root /usr/share/dns/root.* r, --===============4881449298252092416==--
--- End Message ---
--- Begin Message ---On Thu, 19 Jan 2023 14:35:52 +0100 Tiger!P <[email protected]> wrote:Package: unbound Version: 1.17.0-1 Severity: normal Tags: patch Dear Maintainer, * What led up to the situation? I wanted to configure a static IPv6 address in unbound, but that is not (always) available when booting the system. Therefor I enabled ip-transparent in the server section. * What exactly did you do (or not do) that was effective (or ineffective)? When I enabled 'ip-transparent: yes' in the server section, apparmor blocked some capabilities when restarting unbound. Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:65): apparmor="DENIED" operation="capable" profile="unbound" pid=1072585 comm="unbound" capability=13 capname="net_raw" Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:66): apparmor="DENIED" operation="capable" profile="unbound" pid=1072585 comm="unbound" capability=12 capname="net_admin" * What outcome did you expect instead? I would have expected that unbound would not be blocked by apparmor and would be able to use the ip-transparent option without issue.You're suggesting to add net_admin capability to the default unbound apparmor profile. In my view this way is too much, it should not need any network admin privileges during normal operations. Especially since ip-transparent is very rare. Unbound apparmor profile has #include <local/usr.sbin.unbound> -- this is a perfect place to add additional privileges necessary for local configuration. I think anyway. /mjt
--- End Message ---
