Public bug reported: ## Description
In Ubuntu 26.04 (Resolute Raccoon), the default AppArmor profile for OpenVPN is preventing the openvpn-systemd-resolved integration from functioning correctly. When using [email protected], users rely on openvpn-systemd- resolved for per-domain DNS resolution. This requires the following configuration in the OpenVPN client profile: ``` script-security 2 setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin up /etc/openvpn/update-systemd-resolved up-restart down /etc/openvpn/update-systemd-resolved down-pre ``` However, the AppArmor profile for OpenVPN does not grant sufficient permissions to execute these scripts or communicate with the systemd- resolved socket. This causes the initialization sequence to fail or complete with errors, leaving the system without proper DNS routing. ### System Information * OS: Ubuntu 26.04 LTS (Resolute Raccoon) * Packages: openvpn, openvpn-systemd-resolved, apparmor ### Steps to Reproduce 1. Install openvpn and openvpn-systemd-resolved. 2. Configure a client profile with the up/down scripts pointing to /etc/openvpn/update-systemd-resolved. 3. Start the service: sudo systemctl start openvpn-client@<config_name> ### Expected Behavior The VPN tunnel should establish, and the DNS servers pushed by the VPN server should be applied to the relevant interface via systemd-resolved. ### Actual Behavior The service fails with status 127 (Command not found/Execution denied) when trying to run the DNS helper scripts: ``` openvpn[91304]: /usr/libexec/openvpn/dns-updown openvpn[91304]: dns up command exited with status 127 ``` ### AppArmor Audit Logs (The root cause): AppArmor is explicitly denying access to the systemd-resolved socket and the execution of the necessary scripts: * Denied Socket Connect: name="/run/systemd/resolve/io.systemd.Resolve" operation="connect" requested_mask="wr" * Denied Script Exec: name="/usr/libexec/openvpn/dns-updown" operation="exec" requested_mask="x" * Denied Script Exec: name="/etc/openvpn/update-systemd-resolved" operation="exec" requested_mask="x" ``` audit.log:type=AVC msg=audit(1774938428.685:894): apparmor="DENIED" operation="connect" class="file" profile="openvpn" name="/run/systemd/resolve/io.systemd.Resolve" pid=91304 comm="openvpn" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=991FSUID="root" OUID="systemd-resolve" audit.log:type=AVC msg=audit(1774938429.820:895): apparmor="DENIED" operation="exec" class="file" profile="openvpn" name="/usr/libexec/openvpn/dns-updown" pid=91414 comm="openvpn" requested_mask="x" denied_mask="x" fsuid=0 ouid=0FSUID="root" OUID="root" audit.log:type=AVC msg=audit(1774938514.974:896): apparmor="DENIED" operation="exec" class="file" profile="openvpn" name="/usr/libexec/openvpn/dns-updown" pid=99946 comm="openvpn" requested_mask="x" denied_mask="x" fsuid=0 ouid=0FSUID="root" OUID="root" audit.log:type=AVC msg=audit(1774938515.047:900): apparmor="DENIED" operation="connect" class="file" profile="openvpn" name="/run/systemd/resolve/io.systemd.Resolve" pid=99952 comm="openvpn" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=991FSUID="root" OUID="systemd-resolve" audit.log:type=AVC msg=audit(1774938516.325:902): apparmor="DENIED" operation="exec" class="file" profile="openvpn" name="/etc/openvpn/update-systemd-resolved" pid=100083 comm="openvpn" requested_mask="x" denied_mask="x" fsuid=0 ouid=0FSUID="root" OUID="root" ``` ### Impact This is a critical regression for remote server management. If a user performs a `do-release-upgrade` to Ubuntu 26.04 on a remote machine managed via OpenVPN, the restrictive AppArmor profile will break the VPN connectivity upon reboot. Since the up scripts fail to execute, the DNS will not be configured correctly, and in many cases, the entire tunnel initialization may fail, leading to a permanent loss of remote access to the server. ### Workaround Currently, the only way to restore functionality is to put the OpenVPN profile into complain mode, which bypasses the security benefits of AppArmor: ```bash sudo aa-complain /usr/sbin/openvpn ``` ### Suggested Fix The AppArmor profile for /usr/sbin/openvpn needs to be updated to allow: 1. Execution of `/etc/openvpn/*` and `/usr/libexec/openvpn/*`. 2. Write access to the systemd-resolved Unix socket (`/run/systemd/resolve/io.systemd.Resolve`). ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2146874 Title: OpenVPN fails to execute update-systemd-resolved scripts due to restrictive AppArmor profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2146874/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
