** Description changed:

+ [Impact]
+ 
+  * Apparmor denies access to bin directories which the option parsing code 
+    of ntp touches.
+ 
+ [Test Case]
+ 
+  1. get a container of target release
+  2. install ntp
+     apt install ntp
+  3. watch dmesg on container-host
+     dmesg -w
+  4. restart ntp in container
+     systemctl restart ntp
+  => see (or no more after fix) apparmor denie:
+  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
+  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
+ 
+ [Regression Potential]
+ 
+  * we are only slightly opening up the apparmor profile, but none of the
+    changes poses a security risk so regression potential on it's own
+    should be close to zero.
+ 
+  * we discussed if this would be a security risk but came to the 
+    conclusion that r-only should be ok (the same content anyone can grab 
+    from the archive by installing the packages)
+ 
+ [Other Info]
+ 
+  * n/a
+ 
  Issue shows up (non fatal) as:
-  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
-  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
+  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
+  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  
  Since non crit this is mostyl about many of us being curious why it
  actually does do it :-)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1741227

Title:
  apparmor denial to several paths to binaries

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to