[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Roel Van de Paar]

[175882.466186] audit: type=1400 audit(1503640503.535:62):
apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince"
name="/run/systemd/journal/socket" pid=7704 comm="evince"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

Same here (17.04)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Jamie Strandboge]

@intrigeri - you're right. I'll fix this in the citrain branch and in
2.11.0-2ubuntu14.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[intrigeri]

FWIW current Ubuntu citrain branch seems to apply exactly the same patch
twice for some reason:

debian/patches/adjust-nameservice-for-systemd-resolved.patch
debian/patches/profiles-grant-access-to-systemd-resolved.patch

Not sure what's going on, but anyway we don't apply this patch in Debian
so this only affects the Ubuntu-specific bits of the packaging.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Václav Haisman]

Still true for Zesty.

** Tags added: zesty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[DimkaS]

Still present for me

[176007.813051] audit: type=1400 audit(1486720189.738:122):
apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince"
name="/run/systemd/journal/socket" pid=14715 comm="EvJobScheduler"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

[179389.232131] audit: type=1400 audit(1486723571.310:133):
apparmor="DENIED" operation="sendmsg" profile="/usr/bin/evince"
name="/run/systemd/journal/socket" pid=17305 comm="evince"
requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.10
DISTRIB_CODENAME=yakkety
DISTRIB_DESCRIPTION="Ubuntu 16.10"

Not sure if it affects something.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Tyler Hicks]

This isn't fixed in AppArmor upstream. As an upstream, we decided
against taking in this policy update until the patches to perform D-Bus
mediation have landed in the upstream kernel. Without those patches,
we'd be granting full access to the D-Bus system bus socket from the
very commonly used namespace abstraction.

** Changed in: apparmor
   Status: Fix Released => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[John Johansen]

** Changed in: apparmor
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Launchpad Bug Tracker]

This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1

---
apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium

  * debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor
profiles that make use of the nameservice abstraction should be allowed to
communicate with systemd-resolved over D-Bus. Ubuntu 16.10 systems are
configured to use nss-resolve which then communicates with
systemd-resolved's D-Bus API. (LP: #1598759)

 -- Tyler Hicks   Wed, 12 Oct 2016 01:47:06 +

** Changed in: apparmor (Ubuntu Yakkety)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Launchpad Bug Tracker]

This bug was fixed in the package apparmor - 2.10.95-4ubuntu5.1

---
apparmor (2.10.95-4ubuntu5.1) yakkety; urgency=medium

  * debian/patches/profiles-grant-access-to-systemd-resolved.patch: AppArmor
profiles that make use of the nameservice abstraction should be allowed to
communicate with systemd-resolved over D-Bus. Ubuntu 16.10 systems are
configured to use nss-resolve which then communicates with
systemd-resolved's D-Bus API. (LP: #1598759)

 -- Tyler Hicks   Wed, 12 Oct 2016 01:47:06 +

** Changed in: apparmor (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Christian Boltz]

** Tags added: aa-policy

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Tyler Hicks]

We've decided not to merge this patch in the upstream AppArmor project
at this time because most distros don't have the ability to perform
fine-grained mediation of D-Bus communications and this change would
grant full system bus access to network-facing daemons in those distros.

** Changed in: apparmor
   Status: In Progress => Triaged

** Changed in: apparmor
 Assignee: Tyler Hicks (tyhicks) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Tyler Hicks]

This change looks to be working as expected. I've done the manual
verification in the bug description and I've also went through the
desktop/server related portions of
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor.

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Martin Pitt]

Hello knz, or anyone else affected,

Accepted apparmor into yakkety-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/apparmor/2.10.95-4ubuntu5.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Also affects: ntp (Ubuntu Yakkety)
   Importance: High
 Assignee: Joshua Powers (powersj)
   Status: Invalid

** Also affects: apparmor (Ubuntu Yakkety)
   Importance: High
 Assignee: Tyler Hicks (tyhicks)
   Status: Triaged

** Changed in: apparmor (Ubuntu Yakkety)
   Status: Triaged => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[dino99]

@Tyler

comment about the #14 above

i've reported against the 'kernel' the same issue output (but linux
could be the false package; i'm not sure at all)

Bug #1628835

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Tyler Hicks]

** Description changed:

+ [ Impact ]
+ 
+ Processes confined by AppArmor profiles making use of the nameservice
+ AppArmor abstraction are unable to access the systemd-resolved network
+ name resolution service. The nsswitch.conf file shipped in Yakkety puts
+ the nss-resolve plugin to use which talks to systemd-resolved over
+ D-Bus. The D-Bus communication is blocked for the confined processes
+ described above and those processes will fallback to the traditional
+ means of name resolution.
+ 
+ [ Test Case ]
+ 
+ * Use ntpd to test:
+   $ sudo apt-get install -y ntp
+   ...
+   $ sudo systemctl stop ntp
+ 
+   # in another terminal, watch for AppArmor denials
+   $ dmesg -w
+ 
+   # in the original terminal, start ntp
+   $ sudo systemctl start ntp
+ 
+   # You'll see a number of denials on the system_bus_socket file:
+   audit: type=1400 audit(1476240762.854:35): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=3867 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=126 ouid=0
+ 
+  * Use tcpdump to test:
+ 
+# Capture traffic on whichever network interface you're currently using
+$ sudo tcpdump -i eth0
+ 
+# Look in /var/log/syslog for denials on the system_bus_socket file:
+audit: type=1400 audit(1476240896.021:40): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/tcpdump" 
name="/run/dbus/system_bus_socket" pid=4106 comm="tcpdump" requested_mask="wr" 
denied_mask="wr" fsuid=0 ouid=0
+ 
+ In both situations, ntpd and tcpdump will seemingly work as expected due
+ to the name resolution fallback configured in nsswitch.conf. However,
+ neither confined process will be using systemd-resolved for name
+ resolution.
+ 
+ [ Regression Potential ]
+ 
+ This fix will allow ntp, tcpdump, cupsd, dhclient, and other confined-
+ by-default programs to start using systemd-resolved. There is some
+ potential for regression since those applications have not been
+ previously using systemd-resolved.
+ 
+ [ Original bug description ]
+ 
  On this plain install of Xenial apparmor complains about ntpd:
  
  [   19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
  [   20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
  [   22.426246] audit: type=1400 audit(146762.434:29): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
  [   22.771326] audit: type=1400 audit(146762.782:30): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
  [   23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" 
operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" 
pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0
  
  Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the
  problem:
  
- #include 
+ #include 

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Tyler Hicks]

I forgot to mention what brought me to this bug. I am seeing this denial
when running tcpdump in Ubuntu Yakkety:

apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump"
name="/run/dbus/system_bus_socket" pid=25098 comm="tcpdump"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

After pulling the dbus-strict abstraction into the tcpdump profile, I
then see this denial:

pid=2204 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="DENIED"
operation="dbus_method_call"  bus="system"
path="/org/freedesktop/resolve1"
interface="org.freedesktop.resolve1.Manager" member="ResolveAddress"
mask="send" name="org.freedesktop.resolve1" pid=25438
label="/usr/sbin/tcpdump" peer_pid=2471 peer_label="unconfined"

My proposed fix grants access to the ResolveAddress, ResolveHostname,
ResolveRecord, and ResolveService methods of the D-Bus API.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1598759] Re: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved

[Tyler Hicks]

Fix sent upstream for review:
https://lists.ubuntu.com/archives/apparmor/2016-October/010130.html

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759

Title:
  AppArmor nameservice abstraction doesn't allow communication with
  systemd-resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs