Re: [Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
On 2020-06-02 8:50 p.m., Chris Halse Rogers wrote: > You don't *have* to include the full output of the test cases when > verifying a bug (although, depending on how much output there is, it can > be nice). OK, good, thanks for clarifying! > I don't think it was clear that you *had* gone through the full test- > case in your verification comment - I'm not entirely sure what gave that > impression, but I think it might have been the combination of *some* > output (the apt/dpkg bit) and saying “the bug is fixed, thanks” without > making reference to the test case. True, I should have been more explicit, duly noted! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
This bug was fixed in the package apparmor - 2.13.3-7ubuntu5.1 --- apparmor (2.13.3-7ubuntu5.1) focal-proposed; urgency=medium * upstream-lp1872564.patch: adjust nameservice abstraction for nss-systemd - LP: #1872564 -- Jamie Strandboge Tue, 19 May 2020 16:59:49 + ** Changed in: apparmor (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
You don't *have* to include the full output of the test cases when verifying a bug (although, depending on how much output there is, it can be nice). I don't think it was clear that you *had* gone through the full test- case in your verification comment - I'm not entirely sure what gave that impression, but I think it might have been the combination of *some* output (the apt/dpkg bit) and saying “the bug is fixed, thanks” without making reference to the test case. Thanks for testing! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
@Brian, I did go through the full test case when marking it as verified in comment #20. Do I really need to repeat the full test case when verifying a bug? $ lxc launch images:ubuntu/focal fb1 $ lxc exec fb1 -- apt update && lxc exec fb1 -- apt install apparmor -y $ lxc exec fb1 -- apt install bind9 -y # Confirms the problem: $ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"' audit: type=1400 audit(1591130868.387:930): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 audit: type=1400 audit(1591130868.387:931): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 audit: type=1400 audit(1591130868.387:932): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 audit: type=1400 audit(1591130868.387:933): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 Bringing in the fix from -proposed: $ echo 'deb http://archive.ubuntu.com/ubuntu focal-proposed main' | lxc exec fb1 -- tee /etc/apt/sources.list $ lxc exec fb1 -- apt update $ lxc exec fb1 -- apt install apparmor Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: apparmor-profiles-extra apparmor-utils The following packages will be upgraded: apparmor 1 upgraded, 0 newly installed, 0 to remove and 8 not upgraded. Need to get 494 kB of archives. After this operation, 0 B of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 apparmor amd64 2.13.3-7ubuntu5.1 [494 kB] Fetched 494 kB in 1s (929 kB/s) Preconfiguring packages ... (Reading database ... 14968 files and directories currently installed.) Preparing to unpack .../apparmor_2.13.3-7ubuntu5.1_amd64.deb ... Unpacking apparmor (2.13.3-7ubuntu5.1) over (2.13.3-7ubuntu5) ... Setting up apparmor (2.13.3-7ubuntu5.1) ... Installing new version of config file /etc/apparmor.d/abstractions/nameservice ... Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Processing triggers for systemd (245.4-4ubuntu3.1) ... $ lxc exec fb1 -- systemctl restart named No *new* DENIED messages in 'journalctl -k', so marking as verification- done. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
** Tags removed: verification-needed verification-needed-focal ** Tags added: verification-done verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
I don't see the following step from the Test Case performed in comment #20. Was it? 4) check kernel logs for DENIED $ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"' or, depending on how logging is configured: $ dmesg | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"' Step 4, should not return anything. Because systemd is involved in the user/group lookups, it currently returns the following: ** Tags removed: verification-done verification-done-focal ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
On Monday, June 01 2020, Jamie Strandboge wrote: > FYI, those re-runs passed and the package is green in > https://people.canonical.com/~ubuntu-archive/pending-sru.html. When > ubuntu-sru goes through the queue, this will be published. Thanks for taking care of this one, Jamie! -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
FYI, those re-runs passed and the package is green in https://people.canonical.com/~ubuntu-archive/pending-sru.html. When ubuntu-sru goes through the queue, this will be published. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
The autopkgtest failures seem unrelated. I triggered reruns just now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
@Marco, this issue is not yet fixed in Focal. Marking back to Fix Committed. ** Changed in: apparmor (Ubuntu Focal) Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
** Changed in: apparmor (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
** Merge proposal unlinked: https://code.launchpad.net/~sergiodj/ubuntu/+source/apparmor/+git/apparmor/+merge/383796 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
After pulling apparmor 2.13.3-7ubuntu5.1 from focal-proposed: Get:18 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 apparmor amd64 2.13.3-7ubuntu5.1 [494 kB] ... Unpacking apparmor (2.13.3-7ubuntu5.1) over (2.13.3-7ubuntu5) ... Setting up libapparmor1:amd64 (2.13.3-7ubuntu5.1) ... Setting up apt-utils (2.0.3) ... Setting up apparmor (2.13.3-7ubuntu5.1) ... Installing new version of config file /etc/apparmor.d/abstractions/nameservice ... Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd ... I'm happy to report the bug is fixed, thanks so much! ** Tags removed: verification-needed verification-needed-focal ** Tags added: verification-done verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
Hello Simon, or anyone else affected, Accepted apparmor into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.13.3-7ubuntu5.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: apparmor (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
On Wednesday, May 20 2020, Simon Déziel wrote: > To save you some work, I'll be happy to do the verification as soon as > something lands in focal-proposed. Thanks Thanks, Simon! Much appreciated. -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
To save you some work, I'll be happy to do the verification as soon as something lands in focal-proposed. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
On Tuesday, May 19 2020, Jamie Strandboge wrote: > @Sergio - assuming you are ok with my patch, do you still plan to follow > through on the SRU verification once it is accepted into focal-proposed? Hi Jamie, Yes, I can take care of the verification if no one else does it. Thanks, -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
@Sergio - assuming you are ok with my patch, do you still plan to follow through on the SRU verification once it is accepted into focal-proposed? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
On Tuesday, May 19 2020, Jamie Strandboge wrote: > @Sergio, I didn't see that you uploaded anything to the queue so to > expedite the SRU since there are a number of duplicates, I created a > smaller backport of the fix and uploaded it to focal-proposed just now: > http://launchpadlibrarian.net/480473812/apparmor_2.13.3-7ubuntu5_2.13.3-7ubuntu5.1.diff.gz > > (I hope that is alright). Thanks, Jamie! That's quite alright. There's an MP opened about this, but we got sidetracked and forgot to follow up. Thanks again. -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
@Sergio, I didn't see that you uploaded anything to the queue so to expedite the SRU since there are a number of duplicates, I created a smaller backport of the fix and uploaded it to focal-proposed just now: http://launchpadlibrarian.net/480473812/apparmor_2.13.3-7ubuntu5_2.13.3-7ubuntu5.1.diff.gz (I hope that is alright). ** Changed in: apparmor (Ubuntu Focal) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
This bug was fixed in the package apparmor - 2.13.3-7ubuntu6 --- apparmor (2.13.3-7ubuntu6) groovy; urgency=medium * Add missing "boot_id" rule to abstractions/nameservice. (LP: #1872564) - d/p/upstream-commit-454fca7-Add-run-variable.patch: Add the definition for the "@{run}" variable. - d/p/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch: Add trailing slash to the "@{run}" variable. - d/p/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch: Add a missing rule to allow systemd to access @{PROC}/sys/kernel/random/boot_id and @{run}/systemd/userdb. - d/apparmor.install: Install new file 'tunables/run' under '/etc/apparmor.d'. -- Sergio Durigan Junior Mon, 11 May 2020 09:55:16 -0400 ** Changed in: apparmor (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
** Description changed: [Impact] On a default Focal install, systemd is used when looking up passwd and group information: # grep systemd /etc/nsswitch.conf passwd: files systemd group: files systemd Daemons confined by Apparmor that also query those "databases" will cause this Apparmor denial: audit: type=1400 audit(1586825456.411:247): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=7370 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 Many daemons confined by Apparmor also happen to downgrade their privileges so they always end up looking up user/group information. - To fix + To fix this problem, we had to backport an upstream patch which adds new + directives to the 'nameservices' apparmor profile. [Test Case] In order to reproduce the bug, one can: 1) launch a Focal container (named fb1 here) $ lxc launch images:ubuntu/focal fb1 2) setup apparmor inside the container (already done on official Ubuntu images) $ lxc exec fb1 -- apt update && lxc exec fb1 -- apt install apparmor -y 3) install bind9 $ lxc exec fb1 -- apt install bind9 -y 4) check kernel logs for DENIED $ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"' or, depending on how logging is configured: $ dmesg | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"' Step 4, should not return anything. Because systemd is involved in the user/group lookups, it currently returns the following: audit: type=1400 audit(1586826072.115:266): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 audit: type=1400 audit(1586826072.115:267): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 audit: type=1400 audit(1586826072.115:268): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 audit: type=1400 audit(1586826072.115:269): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 audit: type=1400 audit(1586826072.115:270): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 [Regression Potential] In order to fix this issue, 3 separate patches had to be backported. They are simple and self-contained, especially two of them, whose purposes are to add the definition of the @{run} variable and then to add a trailing slash at the end of the "/run" pathname. The other patch, albeit very simple, adds three statements to the 'nameservice' profile in order to let processes access (read-only) files under "/run/systemd/userdb" and "/proc/sys/kernel/random/boot_id". After thinking about the possible cases, the only possible problem I could envision was for a program that, not being able to access some of these files before, will now be able to do that and therefore exercise a part of its codebase which was not being used, possibly uncovering latent bugs in this software. But this is not a regression of apparmor per se. [Original Description] (Description and Test Case were moved above) # Workaround 1) remove systemd from nsswitch.conf $ lxc exec fb1 -- sed -i 's/ systemd$/ # systemd/' /etc/nsswitch.conf 2) restart named $ lxc exec fb1 -- service named restart 3) notice no more denials in kernel logs # Additional information root@fb1:~# apt-cache policy apparmor apparmor: - Installed: 2.13.3-7ubuntu4 - Candidate: 2.13.3-7ubuntu4 - Version table: - *** 2.13.3-7ubuntu4 500 - 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 2.13.3-7ubuntu4 + Candidate: 2.13.3-7ubuntu4 + Version table: + *** 2.13.3-7ubuntu4 500 + 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages + 100 /var/lib/dpkg/status root@fb1:~# uname -a Linux fb1 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux root@fb1:~# lsb_release -rd Description: Ubuntu Focal Fossa (development branch) Release: 20.04 -- You received this bug notification because you are a member of
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
Thanks for being on top of this, Sergio. I'm surprised that a LP search for "boot_id" in this project did not turn up this existing bug report. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
** Description changed: - # Description + [Impact] On a default Focal install, systemd is used when looking up passwd and group information: - # grep systemd /etc/nsswitch.conf + # grep systemd /etc/nsswitch.conf passwd: files systemd group: files systemd Daemons confined by Apparmor that also query those "databases" will cause this Apparmor denial: audit: type=1400 audit(1586825456.411:247): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=7370 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 Many daemons confined by Apparmor also happen to downgrade their privileges so they always end up looking up user/group information. - # Steps to reproduce + To fix + + [Test Case] + + In order to reproduce the bug, one can: 1) launch a Focal container (named fb1 here) $ lxc launch images:ubuntu/focal fb1 2) setup apparmor inside the container (already done on official Ubuntu images) $ lxc exec fb1 -- apt update && lxc exec fb1 -- apt install apparmor -y 3) install bind9 $ lxc exec fb1 -- apt install bind9 -y 4) check kernel logs for DENIED $ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"' + or, depending on how logging is configured: - Step 4, should not return anything. Because systemd is involved in the user/group lookups, it currently returns the following: + $ dmesg | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"' + + Step 4, should not return anything. Because systemd is involved in the + user/group lookups, it currently returns the following: audit: type=1400 audit(1586826072.115:266): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 audit: type=1400 audit(1586826072.115:267): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 audit: type=1400 audit(1586826072.115:268): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 audit: type=1400 audit(1586826072.115:269): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 audit: type=1400 audit(1586826072.115:270): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 + [Regression Potential] + + In order to fix this issue, 3 separate patches had to be backported. + They are simple and self-contained, especially two of them, whose + purposes are to add the definition of the @{run} variable and then to + add a trailing slash at the end of the "/run" pathname. + + The other patch, albeit very simple, adds three statements to the + 'nameservice' profile in order to let processes access (read-only) files + under "/run/systemd/userdb" and "/proc/sys/kernel/random/boot_id". + After thinking about the possible cases, the only possible problem I + could envision was for a program that, not being able to access some of + these files before, will now be able to do that and therefore exercise a + part of its codebase which was not being used, possibly uncovering + latent bugs in this software. But this is not a regression of apparmor + per se. + + [Original Description] + + (Description and Test Case were moved above) # Workaround 1) remove systemd from nsswitch.conf $ lxc exec fb1 -- sed -i 's/ systemd$/ # systemd/' /etc/nsswitch.conf 2) restart named $ lxc exec fb1 -- service named restart 3) notice no more denials in kernel logs # Additional information root@fb1:~# apt-cache policy apparmor apparmor: Installed: 2.13.3-7ubuntu4 Candidate: 2.13.3-7ubuntu4 Version table: *** 2.13.3-7ubuntu4 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status root@fb1:~# uname -a Linux fb1 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux root@fb1:~# lsb_release -rd Description: Ubuntu Focal Fossa (development branch) Release: 20.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
** Changed in: apparmor (Ubuntu Focal) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
** Merge proposal linked: https://code.launchpad.net/~sergiodj/ubuntu/+source/apparmor/+git/apparmor/+merge/383796 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu Focal) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
** Also affects: apparmor (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
** Merge proposal linked: https://code.launchpad.net/~sergiodj/ubuntu/+source/apparmor/+git/apparmor/+merge/383686 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
I'm building a PPA with the backported fix here: https://launchpad.net/~sergiodj/+archive/ubuntu/apparmor-bug1872564 ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
The missing rule for boot_id was added to Apparmor 2.13 (https://gitlab.com/apparmor/apparmor/-/blob/apparmor-2.13/profiles/apparmor.d/abstractions/nameservice#L35) and was later refined in the master branch. As such, marking as fix committed. ** Changed in: apparmor (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
squid in focal is indeed another package that triggers that denial but it is non fatal there as mentioned by Andreas. @ahasenack, with 4.11, squid's systemd unit moved from Type=forking to Type=notify and with the error you showed, I would expect you to see a denial trying to write to /run/systemd/notify. I don't think a rule for /run/systemd/notify was added in any abstraction (yet) and I don't see any such rule in squid's profile itself. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
That was squid 4.11, for groovy, btw. squid as shipped in focal is working fine. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
Squid is failing to start due to this apparmor deny: [ 7271.822230] audit: type=1400 audit(1588602033.905:516): apparmor="DENIED" operation="open" namespace="root//lxd-autopkgtest-lxd-sljvrl_" profile="/usr/sbin/squid" name="/proc/sys/kernel/random/boot_id" pid=289530 comm="squid" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 which results in: 2020/05/04 14:20:34 kid1| WARNING: failed to send start-up notification to systemd sd_notify() error: (13) Permission denied and # time systemctl start squid Job for squid.service failed because a timeout was exceeded. See "systemctl status squid.service" and "journalctl -xe" for details. real 2m6.317s user 0m0.014s sys 0m0.011s -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
`snap info lxd` says: installed: 4.0.1 (14890) 72MB - And indeed, there is a tmpfs mounted there: root@bind:~# mount | grep boot none on /proc/sys/kernel/random/boot_id type tmpfs (ro,nosuid,nodev,noexec,relatime,size=492k,mode=755,uid=1524288,gid=1524288) That said, I don't think there is anything lxd specific to this issue as similar behavior is observable on physical/virtual machines where lxd is not used at all. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
Which lxd are you using? Because more recent ones, should be creating a per-container boot_id. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
Scratch that. Using 'owner' on a root-owned but world readable file is probably ill-advised in an abstraction. It seems plausible for an application to do NSS lookup for user/group while running as non-root. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872564] Re: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice
On all my machines and using various daemons, the denial messages always have fsuid==ouid. As such, I believe it would be OK to use the 'owner' specifier like this: owner @{PROC}/sys/kernel/random/boot_id r, -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872564 Title: /proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs