- Tested 2.10.95-0ubuntu2.9 from PPA (working as expected - Added SRU Template - Uploaded for consideration by the SRU team
** Description changed: + [Impact] + + * The base abstraction in xenial misses some ways programs can push + logs to journald + + * Backport the fix form Artful to: + 1. get rid of the Denies making logs less readable + 2. get users to see the actual log entries will help to unbreak many + other cases + + [Test Case] + + * Install one of the affected packages (in a xenial container is enough) + * For the case of ntp just install and then run + systemctl restart ntp + * in Dmesg you'll see apparmor Denies like + apparmor="DENIED" + operation="file_inherit" + profile="/usr/sbin/ntpd" + name="/run/systemd/journal/stdout" + * Each case is different, in this (ntp) case also some log entries are + missed due to the block + * After installing the fixed package there is no Deny anymore and + programs are able to correctly log. + + [Regression Potential] + + * The change is in ubuntu as-is since artful and we are only opening up, + but not limiting the access - so there should be nothing that is denied + after the update that was not before. + Vice versa there could be changes due to things now working correcrly, + but I'd not see that as a regression. + + [Other Info] + + * affects many packages ntp, tor - I even heard examples of mysql. + But the fix is in apparmor through base abstraction + + --- + Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor fails to start after installing the tor package. "systemctl status tor@default" reports: Mar 06 16:04:00 zesty systemd[1]: [email protected]: Main process exited, code=killed, status=11/SEGV Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network for TCP. Mar 06 16:04:00 zesty systemd[1]: [email protected]: Unit entered failed state. Mar 06 16:04:00 zesty systemd[1]: [email protected]: Failed with result 'signal'. There are two AppArmor denials in the kernel log: Mar 6 15:53:12 zesty-test kernel: [ 102.699647] audit: type=1400 audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-zesty_<var-lib-lxd>" profile="system_tor" name="/run/systemd/journal/stdout" pid=3520 comm="tor" requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000 Mar 6 15:53:12 zesty-test kernel: [ 102.702418] audit: type=1400 audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-zesty_<var-lib-lxd>" profile="system_tor" name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m" denied_mask="m" fsuid=100000 ouid=100000 Workaround: add the following two lines to /etc/apparmor.d/system_tor: /usr/bin/tor m, /run/systemd/journal/stdout rw, I couldn't remember how to that that profile reloaded, so I rebooted, and after the reboot tor does start up successfully. "systemctl tor@default" reports it as running. I haven't checked to see if only one or other rule is actually required. Importance -> High since this bug makes the package unusable in its default configuration on Zesty. Since the AppArmor profile comes from Debian's 0.2.9.9-1, this should probably be fixed in Debian. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1670408 Title: apparmor base abstraction needs backport of rev 3658 to fix several denies (tor, ntp, ...) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1670408/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
