Package: isc-dhcp-client Version: 4.4.3-P1-1.1 Severity: normal Tags: patch X-Debbugs-Cc: brett.hol...@canonical.com
Dear Maintainer, The Change: ----------- Dhclient doesn't provide a mechanism for disabling hook scripts, which may provide undesirable system side effects. It does, however, allow the caller to define custom scripts. Therefore, one way to effectively disable hook scripts is to provide a no-op script, such as /bin/true. This change allows dhclient to execute /bin/true such that default hook scripts may effectively be disabled. Before this change, note the "Permission denied" in the output: root@debian:~# dhclient -1 -v -lf /run/dhclient.lease -pf /run/dhclient.pid enp5s0 -sf /bin/true Internet Systems Consortium DHCP Client 4.4.3-P1 Copyright 2004-2022 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ execve (/bin/true, ...): Permission denied Listening on LPF/enp5s0/00:16:3e:33:e1:76 Sending on LPF/enp5s0/00:16:3e:33:e1:76 Sending on Socket/fallback DHCPREQUEST for 10.161.80.58 on enp5s0 to 255.255.255.255 port 67 DHCPACK of 10.161.80.58 from 10.161.80.1 execve (/bin/true, ...): Permission denied bound to 10.161.80.58 -- renewal in 1673 seconds. After this change, note the "Permission denied" is gone: root@debian:~# dhclient -1 -v -lf /run/dhclient.lease -pf /run/dhclient.pid enp5s0 -sf /bin/true Internet Systems Consortium DHCP Client 4.4.3-P1 Copyright 2004-2022 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on LPF/enp5s0/00:16:3e:33:e1:76 Sending on LPF/enp5s0/00:16:3e:33:e1:76 Sending on Socket/fallback DHCPREQUEST for 10.161.80.58 on enp5s0 to 255.255.255.255 port 67 DHCPACK of 10.161.80.58 from 10.161.80.1 bound to 10.161.80.58 -- renewal in 1797 seconds. Inline Debdiff: --------------- ``` --- isc-dhcp-4.4.3-P1/debian/apparmor/sbin.dhclient 2023-01-09 08:25:59.000000000 +0000 +++ isc-dhcp-4.4.3-P1/debian/apparmor/sbin.dhclient 2023-03-28 04:08:36.000000000 +0000 @@ -62,6 +62,10 @@ # only being able to run the hooks scripts. /{,usr/}sbin/dhclient-script Uxr, + # Since dhclient doesn't provide the option to disable hooks, which is + # desireable in some cases, executing /bin/true as the script file suffices + /{,usr/}bin/true ixr, + # Run the ELF executables under their own unrestricted profiles /usr/lib/NetworkManager/nm-dhcp-client.action Pxrm, /usr/lib/connman/scripts/dhclient-script Pxrm, diff -Nru isc-dhcp-4.4.3-P1/debian/changelog isc-dhcp-4.4.3-P1/debian/changelog --- isc-dhcp-4.4.3-P1/debian/changelog 2023-01-09 09:15:41.000000000 +0000 +++ isc-dhcp-4.4.3-P1/debian/changelog 2023-03-28 04:11:57.000000000 +0000 @@ -1,3 +1,10 @@ +isc-dhcp (4.4.3-P1-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * debian/apparmor/sbin.dhclient: Allow disabling default dhclient script. + + -- Brett Holman <brett.hol...@canonical.com> Mon, 27 Mar 2023 22:11:57 -0600 + isc-dhcp (4.4.3-P1-1.1) unstable; urgency=medium * Non-maintainer upload. ``` Motivation: ----------- When executing dhclient, cloud-init does not want variation in behavior caused side effects from /sbin/dhclient-script, and therefore overrides this script with a noop, /bin/true. Formerly cloud-init used "dhclient sandboxing" to work around apparmor rules in dhclient. With recent changes[1], cloud-init has removed sandboxing and changed file locations to work with dedicated PID and lease file apparmor locations. Unfortunately under this scheme, when the script call fails (due to apparmor blocking execution of /bin/true), dhclient falls back to using the default script, /sbin/dhclient-script, which is undesirable. Steps Taken: ------------ - Reported in Ubuntu (LP: 2011628) - Fixing in Debian was suggested (fix proposed[2]) - It was requested to make change in Debian [1] https://github.com/canonical/cloud-init/commit/de7851b93c5a2d4658d8a0a336e9d014adb15189 [2] https://code.launchpad.net/~holmanb/ubuntu/+source/isc-dhcp/+git/isc-dhcp/+merge/439186 -- System Information: Debian Release: 12.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-7-amd64 (SMP w/1 CPU thread; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages isc-dhcp-client depends on: ii debianutils 5.7-0.4 ii iproute2 6.1.0-2 ii libc6 2.36-8 Versions of packages isc-dhcp-client recommends: ii isc-dhcp-common 4.4.3-P1-1.1 Versions of packages isc-dhcp-client suggests: pn avahi-autoipd <none> pn isc-dhcp-client-ddns <none> ii systemd-resolved [resolvconf] 252.6-1 -- no debconf information