Thanks Andreas, yes I see it nearly everywhere as well. Also thanks to spot that I missed to uopdate impact - done. Discussion on the MP going on ...
** Description changed: [Impact] - * An explanation of the effects of the bug on users and - - * justification for backporting the fix to the stable release. - - * In addition, it is helpful, but not required, to include an - explanation of how the upload fixes this bug. + * NTP has new isolation features which makes it trigger apparmor issues. + * Those apparmor issues not only clutter the log and make other things + less readable, they also prevent ntp from reporting its actual + messages. + * Fix is opening the apparmor profile to follow ntp through the + disconnect by the isolation feature. [Test Case] - * This is hard to trigger, but then also not. Which means it is not - entirely sorted out when it triggers and when not, but the following - does trigger it in tests of Pitti and also mine (while at the same time - sometimes it does not - mabye I had other guests or kvm instead of lxd) + * This is hard to trigger, but then also not. Which means it is not + entirely sorted out when it triggers and when not, but the following + does trigger it in tests of Pitti and also mine (while at the same time + sometimes it does not - mabye I had other guests or kvm instead of lxd) - * First install ntp in Artful (or above unless fixed) - * Then you have to cause soemthing that ntp "needs" to complain about - in my case I had spawned more virtual guests and NTP failed to bind - on their virtual interface, but you could setup anything else that it - fails on after the initial start (there it passed over to private - TMP) - * Once an issue triggers instead of the error in syslog you'll see the - apparmor Deny like: - apparmor="DENIED" operation="sendmsg" info="Failed name lookup - - disconnected path" error=-13 profile="/usr/sbin/ntpd" - name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" - requested_mask="w" denied_mask="w" fsuid=0 ouid=0 + * First install ntp in Artful (or above unless fixed) + * Then you have to cause soemthing that ntp "needs" to complain about + in my case I had spawned more virtual guests and NTP failed to bind + on their virtual interface, but you could setup anything else that it + fails on after the initial start (there it passed over to private + TMP) + * Once an issue triggers instead of the error in syslog you'll see the + apparmor Deny like: + apparmor="DENIED" operation="sendmsg" info="Failed name lookup - + disconnected path" error=-13 profile="/usr/sbin/ntpd" + name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" + requested_mask="w" denied_mask="w" fsuid=0 ouid=0 [Regression Potential] - * We are slightly opening up the apparmor profile which is far lower risk - than adding more constraints. So safe from that POV. + * We are slightly opening up the apparmor profile which is far lower risk + than adding more constraints. So safe from that POV. - * OTOH one could think this might be a security issue, but in fact this - isn't a new suggestion if you take a look at [1] with an ack by Seth of - the Security Team. + * OTOH one could think this might be a security issue, but in fact this + isn't a new suggestion if you take a look at [1] with an ack by Seth of + the Security Team. [Other Info] - - * n/a + + * n/a [1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html ---- Merely installing and starting ntp.service in Ubuntu 17.10 now causes this AppArmor violation: audit: type=1400 audit(1508915894.215:25): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 (many times). This hasn't happened in earlier Ubuntu releases yet. This was spotted by Cockpit's integration tests, as our "ubuntu-stable" image now moved to 17.10 after its release. ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: ntp 1:4.2.8p10+dfsg-5ubuntu3 ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 Uname: Linux 4.13.0-16-generic x86_64 ApportVersion: 2.20.7-0ubuntu3 Architecture: amd64 Date: Wed Oct 25 03:19:34 2017 SourcePackage: ntp UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1727202 Title: [17.10 regression] AppArmor denial: Failed name lookup - disconnected path To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
