** Description changed: + [Impact] + + * Apparmor denies access to bin directories which the option parsing code + of ntp touches. + + [Test Case] + + 1. get a container of target release + 2. install ntp + apt install ntp + 3. watch dmesg on container-host + dmesg -w + 4. restart ntp in container + systemctl restart ntp + => see (or no more after fix) apparmor denie: + apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" + apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" + + [Regression Potential] + + * we are only slightly opening up the apparmor profile, but none of the + changes poses a security risk so regression potential on it's own + should be close to zero. + + * we discussed if this would be a security risk but came to the + conclusion that r-only should be ok (the same content anyone can grab + from the archive by installing the packages) + + [Other Info] + + * n/a + Issue shows up (non fatal) as: - apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 + apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Since non crit this is mostyl about many of us being curious why it actually does do it :-)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1741227 Title: apparmor denial to several paths to binaries To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
