subject:"\[Touch\-packages\] \[Bug 1749389\] Re\: ntpdate lock apparmor deny"

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

2018-02-22 Thread Launchpad Bug Tracker

This bug was fixed in the package ntp - 1:4.2.8p10+dfsg-5ubuntu3.2

---
ntp (1:4.2.8p10+dfsg-5ubuntu3.2) artful; urgency=medium

  * d/apparmor-profile: avoid denies on argument checks (LP: #1741227)
  * d/apparmor-profile: fix denial checking for running ntpdate (LP: #1749389)

 -- Christian Ehrhardt   Wed, 14 Feb
2018 13:14:24 +0100

** Changed in: ntp (Ubuntu Artful)
   Status: Fix Committed => Fix Released

** Changed in: ntp (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Fix Released
Status in ntp source package in Artful:
  Fix Released

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no
     issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  Note: to not be mislead, on xenial there is a remaining stdout appamor 
  issue which is bug 1670408

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would
     e.g. no more be freed up or the action behind the locking would cause
     issues.

  [Other Info]

   * n/a

  On start/restart nto has an error in apparmor due to the locking it
  tries to avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

2018-02-22 Thread Launchpad Bug Tracker

This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu5.8

---
ntp (1:4.2.8p4+dfsg-3ubuntu5.8) xenial; urgency=medium

  * d/apparmor-profile: fix denial checking for running ntpdate (LP:
#1749389)

 -- Christian Ehrhardt   Wed, 14 Feb
2018 13:10:39 +0100

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Fix Released
Status in ntp source package in Artful:
  Fix Released

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no
     issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  Note: to not be mislead, on xenial there is a remaining stdout appamor 
  issue which is bug 1670408

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would
     e.g. no more be freed up or the action behind the locking would cause
     issues.

  [Other Info]

   * n/a

  On start/restart nto has an error in apparmor due to the locking it
  tries to avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

2018-02-14 Thread ChristianEhrhardt

Verification of proposed:
xenial/artful as is on restart:
[2020349.483870] audit: type=1400 audit(1518622585.386:4875): apparmor="DENIED" 
operation="file_inherit" 
namespace="root//lxd-xenial-test_" 
profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=16784 comm="ntpd" 
requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[2020342.768379] audit: type=1400 audit(1518622578.674:4870): apparmor="DENIED" 
operation="file_inherit" 
namespace="root//lxd-artful-test_" 
profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=16638 comm="ntpd" 
requested_mask="w" denied_mask="w" fsuid=0 ouid=0

After upgrade from proposed:
- 1:4.2.8p4+dfsg-3ubuntu5.8
- 1:4.2.8p10+dfsg-5ubuntu3.2

The messages above are gone - so verified

** Tags removed: verification-needed verification-needed-artful 
verification-needed-xenial
** Tags added: verification-done verification-done-artful 
verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Fix Committed
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no
     issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  Note: to not be mislead, on xenial there is a remaining stdout appamor 
  issue which is bug 1670408

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would
     e.g. no more be freed up or the action behind the locking would cause
     issues.

  [Other Info]

   * n/a

  On start/restart nto has an error in apparmor due to the locking it
  tries to avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

2018-02-14 Thread Chris J Arges

Hello ChristianEhrhardt, or anyone else affected,

Accepted ntp into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p4+dfsg-
3ubuntu5.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: ntp (Ubuntu Xenial)
   Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-xenial

** Changed in: ntp (Ubuntu Artful)
   Status: In Progress => Fix Committed

** Tags added: verification-needed-artful

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Fix Committed
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no
     issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  Note: to not be mislead, on xenial there is a remaining stdout appamor 
  issue which is bug 1670408

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would
     e.g. no more be freed up or the action behind the locking would cause
     issues.

  [Other Info]

   * n/a

  On start/restart nto has an error in apparmor due to the locking it
  tries to avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

2018-02-14 Thread ChristianEhrhardt

fix in SRU queue (Atrful/Xenial) for review by the SRU Team

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Fix Committed
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no
     issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  Note: to not be mislead, on xenial there is a remaining stdout appamor 
  issue which is bug 1670408

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would
     e.g. no more be freed up or the action behind the locking would cause
     issues.

  [Other Info]

   * n/a

  On start/restart nto has an error in apparmor due to the locking it
  tries to avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

2018-02-14 Thread ChristianEhrhardt

Bionic - ok
SRU Template - ok
Debdiff for X/T checked - ok
Tested X/A upload from ppa - ok.

I Identified another issue in the log as bug 1670408 which needs a fix in 
apparmor - not ntp.
That means this is ok to be uploaded (not gated by that finding).

** Description changed:

  [Impact]
  
-  * Apparmor denies access to lock it shares with ntpdate to ensure no 
-issues due to concurrent access
+  * Apparmor denies access to lock it shares with ntpdate to ensure no
+    issues due to concurrent access
  
  [Test Case]
  
-  1. get a container of target release
-  2. install ntp
- apt install ntp
-  3. watch dmesg on container-host
- dmesg -w 
-  4. restart ntp in container
- systemctl restart ntp
-  => see (or no more after fix) apparmor denie:
- apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
+  1. get a container of target release
+  2. install ntp
+ apt install ntp
+  3. watch dmesg on container-host
+ dmesg -w
+  4. restart ntp in container
+ systemctl restart ntp
+  => see (or no more after fix) apparmor denie:
+ apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
+ Note: to not be mislead, on xenial there is a remaining stdout appamor 
+ issue which is bug 1670408
  
  [Regression Potential]
  
-  * we are only slightly opening up the apparmor profile, but none of the 
-changes poses a security risk so regression potential on it's own 
-should be close to zero.
+  * we are only slightly opening up the apparmor profile, but none of the
+    changes poses a security risk so regression potential on it's own
+    should be close to zero.
  
-  * There is a potential issue if the locking (that now can succeed) would 
-e.g. no more be freed up or the action behind the locking would cause 
-issues.
+  * There is a potential issue if the locking (that now can succeed) would
+    e.g. no more be freed up or the action behind the locking would cause
+    issues.
  
  [Other Info]
-  
-  * n/a
  
+  * n/a
  
- On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.
+ On start/restart nto has an error in apparmor due to the locking it
+ tries to avoid issues running concurrently with ntpdate.
  
  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  
  The rule we need is:
  /run/lock/ntpdate wk,

** Changed in: ntp (Ubuntu Xenial)
   Status: Triaged => In Progress

** Changed in: ntp (Ubuntu Artful)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Fix Committed
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no
     issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  Note: to not be mislead, on xenial there is a remaining stdout appamor 
  issue which is bug 1670408

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would
     e.g. no more be freed up or the action behind the locking would cause
     issues.

  [Other Info]

   * n/a

  On start/restart nto has an error in apparmor due to the locking it
  tries to avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

2018-02-14 Thread ChristianEhrhardt

Missed the right format in changelog :-/, but this is fixed in Bionic by
https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p10+dfsg-5ubuntu7

** Changed in: ntp (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Triaged
Status in ntp source package in Artful:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no 
 issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w 
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the 
 changes poses a security risk so regression potential on it's own 
 should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would 
 e.g. no more be freed up or the action behind the locking would cause 
 issues.

  [Other Info]
   
   * n/a

  
  On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

2018-02-14 Thread ChristianEhrhardt

auto profile replace on upgrade - ok
restart without apparmor issues - ok

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Triaged
Status in ntp source package in Xenial:
  Triaged
Status in ntp source package in Artful:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no 
 issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w 
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the 
 changes poses a security risk so regression potential on it's own 
 should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would 
 e.g. no more be freed up or the action behind the locking would cause 
 issues.

  [Other Info]
   
   * n/a

  
  On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

2018-02-14 Thread ChristianEhrhardt

Fix is trivial, but you never know - tetsing the bionic change in
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3144

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Triaged
Status in ntp source package in Xenial:
  Triaged
Status in ntp source package in Artful:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no 
 issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w 
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the 
 changes poses a security risk so regression potential on it's own 
 should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would 
 e.g. no more be freed up or the action behind the locking would cause 
 issues.

  [Other Info]
   
   * n/a

  
  On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

2018-02-14 Thread ChristianEhrhardt

Note: When we open up a SRU for ntp apparmor we should include the minot
(bot on its own not SRu worthy) fix of bug 1741227

** Description changed:

- On start/restart nto has an error in apparmor due to the locking it
- tries to avoid issues running concurrently with ntpdate.
+ [Impact]
+ 
+  * Apparmor denies access to lock it shares with ntpdate to ensure no 
+issues due to concurrent access
+ 
+ [Test Case]
+ 
+  1. get a container of target release
+  2. install ntp
+ apt install ntp
+  3. watch dmesg on container-host
+ dmesg -w 
+  4. restart ntp in container
+ systemctl restart ntp
+  => see (or no more after fix) apparmor denie:
+ apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
+ 
+ [Regression Potential]
+ 
+  * we are only slightly opening up the apparmor profile, but none of the 
+changes poses a security risk so regression potential on it's own 
+should be close to zero.
+ 
+  * There is a potential issue if the locking (that now can succeed) would 
+e.g. no more be freed up or the action behind the locking would cause 
+issues.
+ 
+ [Other Info]
+  
+  * n/a
+ 
+ 
+ On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.
  
  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  
  The rule we need is:
  /run/lock/ntpdate wk,

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Triaged
Status in ntp source package in Xenial:
  Triaged
Status in ntp source package in Artful:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no 
 issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w 
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the 
 changes poses a security risk so regression potential on it's own 
 should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would 
 e.g. no more be freed up or the action behind the locking would cause 
 issues.

  [Other Info]
   
   * n/a

  
  On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

10 matches

Site Navigation

Mail list logo

Footer information