Package: unbound
Version: 1.17.0-1
Severity: normal
Tags: patch
Dear Maintainer,
* What led up to the situation?
I wanted to configure a static IPv6 address in unbound, but that is not
(always) available when booting the system. Therefor I enabled
ip-transparent in the server section.
* What exactly did you do (or not do) that was effective (or
ineffective)?
When I enabled 'ip-transparent: yes' in the server section, apparmor
blocked some capabilities when restarting unbound.
Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:65):
apparmor="DENIED" operation="capable" profile="unbound" pid=1072585
comm="unbound" capability=13 capname="net_raw"
Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:66):
apparmor="DENIED" operation="capable" profile="unbound" pid=1072585
comm="unbound" capability=12 capname="net_admin"
* What outcome did you expect instead?
I would have expected that unbound would not be blocked by apparmor and
would be able to use the ip-transparent option without issue.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unbound depends on:
ii adduser 3.130
ii init-system-helpers 1.65.2
ii libc6 2.36-8
ii libevent-2.1-7 2.1.12-stable-5+b1
ii libnghttp2-14 1.51.0-1
ii libprotobuf-c1 1.4.1-1+b1
ii libpython3.10 3.10.9-1
ii libssl3 3.0.7-1
ii libsystemd0 252.4-1
ii lsb-base 11.5
ii sysvinit-utils [lsb-base] 3.06-2
Versions of packages unbound recommends:
ii dns-root-data 2023010101
Versions of packages unbound suggests:
ii apparmor 3.0.8-1
ii openssl 3.0.7-1
-- no debconf information
Content-Type: multipart/mixed; boundary="===============4881449298252092416=="
MIME-Version: 1.0
From: TigerP <debian-tig...@tigerp.net>
To: Debian Bug Tracking System <sub...@bugs.debian.org>
Subject: ip-transparent: yes is blocked by apparmor
Bcc: TigerP <debian-tig...@tigerp.net>
Message-ID:
<167413411988.1072823.1845641849211757387.report...@melaine.andor.aybara.org>
X-Mailer: reportbug 11.6.0
Date: Thu, 19 Jan 2023 14:15:19 +0100
This is a multi-part MIME message sent by reportbug.
--===============4881449298252092416==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: unbound
Version: 1.17.0-1
Severity: normal
Tags: patch
Dear Maintainer,
* What led up to the situation?
I wanted to configure a static IPv6 address in unbound, but that is not
(always) available when booting the system. Therefor I enabled ip-transparent
in the server section.
* What exactly did you do (or not do) that was effective (or
ineffective)?
When I enabled 'ip-transparent: yes' in the server section, apparmor blocked
some capabilities when restarting unbound.
Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:65):
apparmor="DENIED" operation="capable" profile="unbound" pid=1072585
comm="unbound" capability=13 capname="net_raw"
Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:66):
apparmor="DENIED" operation="capable" profile="unbound" pid=1072585
comm="unbound" capability=12 capname="net_admin"
* What outcome did you expect instead?
I would have expected that unbound would not be blocked by apparmor and would
be able to use the ip-transparent option without issue.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unbound depends on:
ii adduser 3.130
ii init-system-helpers 1.65.2
ii libc6 2.36-8
ii libevent-2.1-7 2.1.12-stable-5+b1
ii libnghttp2-14 1.51.0-1
ii libprotobuf-c1 1.4.1-1+b1
ii libpython3.10 3.10.9-1
ii libssl3 3.0.7-1
ii libsystemd0 252.4-1
ii lsb-base 11.5
ii sysvinit-utils [lsb-base] 3.06-2
Versions of packages unbound recommends:
ii dns-root-data 2023010101
Versions of packages unbound suggests:
ii apparmor 3.0.8-1
ii openssl 3.0.7-1
-- no debconf information
--===============4881449298252092416==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="unbound_apparmor_ip-transparancy.patch"
--- usr.sbin.unbound.orig 2023-01-19 14:12:38.624603236 +0100
+++ usr.sbin.unbound 2023-01-19 14:13:55.721989871 +0100
@@ -21,6 +21,9 @@
capability setuid,
capability sys_chroot,
capability sys_resource,
+ # Added for ip-transparancy option
+ capability net_raw,
+ capability net_admin,
# root hints from dns-data-root
/usr/share/dns/root.* r,
--===============4881449298252092416==--
