** Changed in: unbound (Debian)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1749931
Title:
unbound-control local socket broken by apparmor
To manage
** Changed in: unbound (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1749931
Title:
unbound-control local socket broken by apparmor
To manage notifications
This bug was fixed in the package unbound - 1.6.7-1ubuntu2
---
unbound (1.6.7-1ubuntu2) bionic; urgency=medium
* debian/apparmor-profile: add capabilities to chown/chmod Unix
control socket and allow reading /var/lib/sss/mc/initgroups
(Closes: #891705, LP: #1749931)
--
FYI - Tests are all good (in proposed migration) it just has to wait for
the newer glibc it was build against to pass (this will bring a lot more
in as there is a wake behind glibc building up atm).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Thanks Christian!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1749931
Title:
unbound-control local socket broken by apparmor
To manage notifications about this bug go to:
** Changed in: unbound (Ubuntu)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1749931
Title:
unbound-control local socket broken by apparmor
To manage
Debdiff is good, thanks Simon!.
I think it is fair to add fsetid for now to work.
If details are found how that can be limited later we can do so still.
With the fixes applied as expected the control socket is usable now when
running from [1] in a container.
(my old) lintian complains about a
The attachment "18.04-lp1749931.debdiff" seems to be a debdiff. The
ubuntu-sponsors team has been subscribed to the bug report so that they
can review and hopefully sponsor the debdiff. If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag,
Here's a debdiff for Bionic.
** Patch added: "18.04-lp1749931.debdiff"
https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/+attachment/5064967/+files/18.04-lp1749931.debdiff
** Bug watch added: Debian Bug tracker #891705
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891705
I did further tests with a Bionic container on a Xenial host. There, I
also needed to add "capability fsetid".
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1749931
Title:
unbound-control local
On 2018-02-26 01:58 PM, Jamie Strandboge wrote:
> +1 to add 'capability chown' to the profile, and also for
> '/var/lib/sss/mc/initgroups r,' (since it may or may not make it into
> apparmor SRU in a timely manner.
OK, I'll do that but just to be clear, 'capability fowner' is also
needed and I'll
+1 to add 'capability chown' to the profile, and also for
'/var/lib/sss/mc/initgroups r,' (since it may or may not make it into
apparmor SRU in a timely manner.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Hi Simon,
my personal stance to apparmor is to lock as much as possible without breaking
the common use cases. And uncommon use cases should be able to e.g. use local
overrides to work.
In this case I think (my opinion isn't worth a lot on this thou) you are right
and we should re-introduce
"deny capability chown" was initially added for the PID file, see [1].
Failing to chown the PID or the control socket is only logged at higher
log level specifically to not generate noise when the chown capability
isn't available, see [2,3]. The "capability fowner" was removed based on
[4].
"Ok so overall:
deny capability chown -> capability chown
(can we limit that to a certain scope)"
Unfortunately, no, not unless we get help from unbound to
change_profile/change_onexec after a fork/exec or it is happening in a
helper binary that we could separately profile.
--
You received
Oh it is a silent deny
deny capability chown,
Yes I see now.
Ok so overall:
deny capability chown -> capability chown
(can we limit that to a certain scope)
> /run/systemd/notify w,
The notify problem was taken care of in LP: #1723900 :)
I have hit that in Bionic just now
>>
@Christian
Adding the rc.conf file should be enough but unless you add
/run/systemd/notify w,
unbound won't get far enough to trigger the chown issue.
For the second issue, change the 'deny capability chown,' to 'capability
chown,' in the unbound apparmor profile, restart apparmor and
On 2018-02-23 09:40 AM, ChristianEhrhardt wrote:
> That would need:
> /run/systemd/notify w,
The notify problem was taken care of in LP: #1723900 :)
> /var/lib/sss/mc/initgroups r,
IMHO, this should be in abstractions/nameservice which is already
included in the Unbound profile. Christian,
I was trying to follow your case, but hit even more:
[2794286.784575] apparmor="DENIED" operation="sendmsg"
profile="/usr/sbin/unbound" name="/run/systemd/notify" pid=4938 comm="unbound"
requested_mask="w" denied_mask="w" fsuid=118 ouid=0
[2794367.925181] apparmor="DENIED" operation="open"
My config is:
remote-control:
control-enable: yes
control-interface: /var/run/unbound.ctl
The socket created, but then, unbound can't properly change the owner to
unbound:unbound.
Feb 21 13:08:21 linux-agent systemd[1]: Starting Unbound DNS server...
Feb 21 13:08:22
@Jean-Daniel, sorry, I hastily duped it (now undone). Could you share
your config as well as the apparmor denials. FYI, the Apparmor profile
authorizes the creation of a control socket in /run/unbound.ctl:
# Unix control socket
/{,var/}run/unbound.ctl rw,
** Changed in: unbound (Ubuntu)
** This bug is no longer a duplicate of bug 1723900
unbound systemctl (re)start fails due to Apparmor profile issue
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1749931
Title:
unbound-control
*** This bug is a duplicate of bug 1723900 ***
https://bugs.launchpad.net/bugs/1723900
I disagree with this. While both bugs are related to app armor, they are
not related in any way.
#1723900 is about permission to write in systemd/notify socket, while
this one is about using a local socket
*** This bug is a duplicate of bug 1723900 ***
https://bugs.launchpad.net/bugs/1723900
** This bug has been marked a duplicate of bug 1723900
unbound systemctl (re)start fails due to Apparmor profile issue
--
You received this bug notification because you are a member of Ubuntu
Bugs,
24 matches
Mail list logo
