The verification of the Stable Release Update for apparmor has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2107596 Title: Apparmor is missing rule for openvpn to set DNS domain Status in apparmor package in Ubuntu: Fix Released Status in apparmor source package in Plucky: Fix Released Status in apparmor source package in Questing: Fix Released Bug description: SRU Justification: [ Impact ] The openvpn profile lacked permissions to manage DHCP settings, causing OpenVPN to fail to work with DHCP options set (either in client configs or with servers that were pushing such settings). [ Test Plan ] * This test description assumes no access to existing machines that use OpenVPN. Additional testing of OpenVPN in related configurations (other virtualization solutions, specifying the server location via IPs or actual domains, etc.) is encouraged. The VM setup instructions are identical to those in the test plan of LP: #2109029. - Spin up two Ubuntu Plucky VMs, one of which will be referred to as openvpn-client and the other of which will be referred to as openvpn-server - Run `sudo aa-status` on each machine to verify that "openvpn", "openvpn//ip", and "openvpn//update-resolv" profiles are loaded - Ensure that the two machines are able to ping each other - Generate a key using `openvpn --genkey secret secret.key` and transfer this key to both machines, somewhere inside the home directory - Place the following configuration onto openvpn-server, next to secret.key: dev tun proto udp cipher aes-256-cbc ifconfig 10.4.13.1 10.4.13.2 secret static.key - Place the following configuration onto openvpn-client, next to secret.key, substituting the remote location: remote openvpn-server.local dev tun proto udp cipher aes-256-cbc ifconfig 10.4.3.2 10.4.13.1 secret static.key script-security 2 dhcp-option DNS 9.9.9.9 dhcp-option DOMAIN ubuntu.com up /etc/openvpn/update-resolv-conf up-restart down /etc/openvpn/update-resolv-conf down-pre - Launch openvpn on both machines by running `openvpn path_to_config` on each - If (openvpn-client "remote" config line is a domain name (.local or otherwise)) and (openvpn is unable to resolve the domain) and (apparmor is generating denials related to (m)DNS lookups), then report verification test failure for LP: #2109029 - Ensure that the two machines are able to ping each other through the OpenVPN tunnel - Run `resolvectl status` and ensure that that newly created tun link has a DNS server of 9.9.9.9 and a DNS domain of ubuntu.com, matching the settings above [ Where problems could occur ] The OpenVPN profile change in this SRU loosens confinement on a profile. However, if a user manually modified the installed profiles, then the package upgrade would cause conflicts, and rejection of the incoming changes (either by hand during an interactive upgrade or automatically during an batch unattended upgrade) would result in end users not getting the packaged fix. The openvpn//update-resolv child profile has an additional attach_disconnected flag specified. This can result in path aliasing and potentially weakening the path-based confinement rules. However, the attach_disconnected flag is unfortunately necessary for running openvpn as a systemd service, and can be re-evaluated once additional AppArmor features are available that can render it unnecessary. [ Other Info ] The OpenVPN setups in the test plans for LP: #2109029 and LP: #2107596 are similar. -------original bug description: If the remote openvpn server is pushing DNS settings that include a domain, the "/etc/openvpn/update-resolv-conf" script will fail. The apparmor settings are missing a rule to allow setting a dns domain. Error from openvpn: sd_bus_open_system: Permission denied Error from apparmor: audit: type=1107 audit(1744925540.893:328): pid=1907 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/resolve1" interface="org.freedesktop.resolve1.Manager" member="SetLinkDomains" mask="send" name="org.freedesktop.resolve1" pid=10292 label="openvpn//update-resolv" peer_pid=888 peer_label="unconfined" Thanks for looking into this. # lsb_release -rd Description: Ubuntu 25.04 Release: 25.04 # apt-cache policy apparmor apparmor: Installed: 4.1.0~beta5-0ubuntu14 Candidate: 4.1.0~beta5-0ubuntu14 Version table: *** 4.1.0~beta5-0ubuntu14 500 500 http://de.archive.ubuntu.com/ubuntu plucky/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107596/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
