Note to everyone watching this bug:
The file that John modified above is in the "extra profiles" section of
the upstream AppArmor source repository. It may be found on an Ubuntu
system at
/usr/share/apparmor/extra-profiles/sbin.dhclient
and in jammy, it has his fix.
However, the isc-dhcp-cl
#4 Does not work for me.
My /etc/apparmor.d/sbin.dhclient partly looks like this:
@{PROC}/[0-9]*/net/ r,
@{PROC}/[0-9]*/net/** r,
# @{PROC}/[0-9]*/task/[0-9]*/comm rw,
@{PROC}/@{pids}*/task/[0-9]*/comm rw,
Maybe I'm missing something?
--
You received this bug notification because you are
** Tags added: hirsute
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1918410
Title:
isc-dhcp-client denied by apparmor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubunt
** Tags added: focal
** Changed in: isc-dhcp (Ubuntu)
Status: Confirmed => Triaged
** Changed in: isc-dhcp (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/
Merge upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/730
it will be part of the next apparmor point releases
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1918410
Title:
isc-dhcp-cl
Hi John,
Thank you for your detailed response and education on command text. I
was able to use pstree to see the thread command text behavior change
before and after the AppArmor rule addition. I feel better now that I
understand what is going on!
--
You received this bug notification because yo
To further elaborate on why dhclient is accessing the comm
$ pstree -at 3395
dhclient ens3
├─{isc-socket}
├─{isc-timer}
└─{isc-worker}
where 3395 is the process. It has 3 additional threads and it is
providing functional names for them.
--
You received this bug notification because yo
Okay adding the suggested rule
works for me. So it would seem dhclient is treating denied access to comm as a
fatal error.
Interestingly I also had it throw a rejection for capability sys_module
[ 1645.480546] audit: type=1400 audit(1616847221.859:73):
apparmor="DENIED" operation="capable" pro
Denying
/proc/1095210/task/1095213/comm
prevents the task from introspecting (reading), and changing (write) the
command text associated with the task. In this case it would appear one
thread is attempting to change the comm of another thread in the process
(this is generally allowed), see man 5
I have been doing Xenial -> Bionic -> Focal release upgrades and started
running into this apparmor issue with dhclient after reaching Focal.
I don't know the root issue, and it doesn't appear to impact
functionality (at least as far as I can tell on my hosts). However, I am
currently dealing with
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: isc-dhcp (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1918410
Title:
i
I forgot to add that this is an up-to-date Ubuntu 20.04.2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1918410
Title:
isc-dhcp-client denied by apparmor
To manage notifications about this bug go t
12 matches
Mail list logo
