** Description changed: + [IMPACT] + * dhclient is a root run process and successfully exploiting a flaw in dhclient could + have severe consequences for the user's system + [TESTCASE] + * On an Ubuntu server system using dhcp for an interface: + 1. sudo aa-status # bug not fixed + ... + 1 processes are unconfined but have a profile defined. + /sbin/dhclient (<pid>) + 2. install the updates + 3. reboot + 4. sudo aa-status # bug fixed + ... + 5 processes are in enforce mode. + /sbin/dhclient (<pid>) + ... + 0 processes are unconfined but have a profile defined. + + [Regression Potential] + * Regression potential is low. The AppArmor profile for dhclient has been in use for + years and is still in effect on the default Ubuntu desktop because of when network + manager runs (the profile is loaded before the interface is brought up). Therefore + there should be no surprise denials. + + + = Initial report = I was doing install audits of 12.10 and noticed this with 'sudo aa-status': 1 processes are unconfined but have a profile defined. /sbin/dhclient (<pid removed>) This is a regression over 12.04 and needs to be fixed in an SRU. I don't know what introduced the regression, but it is very likely a race condition. I saw it on 12.10 server but not on 12.10 desktop. It seems to be at least somewhat reproducible (rebooting once showed it is still affected) with an amd64 VM with 1024M of ram with installation defaults (except home directory is encrypted) and the following tasks installed: Basic Ubuntu server OpenSSH server DNS server LAMP server Mail server PostgreSQL database Print server Samba file server Tomcat Java server Virtual Machine host Upon investigation this is because /etc/init/network-interface-security.conf is looking for files in /etc/apparmor/init/network-interface-security/*. Unfortunately, the quantal merge dropped this: diff -Naur ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links --- ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links 2012-10-16 13:48:13.000000000 -0500 +++ ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links 1969-12-31 18:00:00.000000000 -0600 @@ -1,3 +0,0 @@ -sbin/dhclient sbin/dhclient3 -usr/share/man/man8/dhclient.8.gz usr/share/man/man8/dhclient3.8.gz -etc/apparmor.d/sbin.dhclient etc/apparmor/init/network-interface-security/sbin.dhclient
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1067473 Title: [quantal] isc-dhcp-client dropped network-interface-security symlink and therefore may run unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1067473/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
