The fix was landed in the apparmor package and no change was needed to
the ntp or tor packages in the end. If I'm wrong, please reopen those
tasks.
** Changed in: ntp (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: ntp (Ubuntu)
Status: Fix Released => Invalid
** Changed in: tor (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1670408
Title:
apparmor base abstraction needs backport of rev 3658 to fix several
denies (tor, ntp, ...)
Status in apparmor package in Ubuntu:
Fix Released
Status in ntp package in Ubuntu:
Invalid
Status in tor package in Ubuntu:
Invalid
Status in apparmor source package in Xenial:
Fix Released
Bug description:
[Impact]
* The base abstraction in xenial misses some ways programs can push
logs to journald
* Backport the fix form Artful to:
1. get rid of the Denies making logs less readable
2. get users to see the actual log entries will help to unbreak many
other cases
[Test Case]
* Install one of the affected packages (in a xenial container is enough)
* For the case of ntp just install and then run
systemctl restart ntp
* in Dmesg you'll see apparmor Denies like
apparmor="DENIED"
operation="file_inherit"
profile="/usr/sbin/ntpd"
name="/run/systemd/journal/stdout"
* Each case is different, in this (ntp) case also some log entries are
missed due to the block
* After installing the fixed package there is no Deny anymore and
programs are able to correctly log.
[Regression Potential]
* The change is in ubuntu as-is since artful and we are only opening up,
but not limiting the access - so there should be nothing that is denied
after the update that was not before.
Vice versa there could be changes due to things now working correcrly,
but I'd not see that as a regression.
[Other Info]
* affects many packages ntp, tor - I even heard examples of mysql.
But the fix is in apparmor through base abstraction
---
Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor
fails to start after installing the tor package. "systemctl status
tor@default" reports:
Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Main process exited,
code=killed, status=11/SEGV
Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network
for TCP.
Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Unit entered failed
state.
Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Failed with result
'signal'.
There are two AppArmor denials in the kernel log:
Mar 6 15:53:12 zesty-test kernel: [ 102.699647] audit: type=1400
audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
namespace="root//lxd-zesty_<var-lib-lxd>" profile="system_tor"
name="/run/systemd/journal/stdout" pid=3520 comm="tor"
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
Mar 6 15:53:12 zesty-test kernel: [ 102.702418] audit: type=1400
audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap"
namespace="root//lxd-zesty_<var-lib-lxd>" profile="system_tor"
name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m"
denied_mask="m" fsuid=100000 ouid=100000
Workaround: add the following two lines to /etc/apparmor.d/system_tor:
/usr/bin/tor m,
/run/systemd/journal/stdout rw,
I couldn't remember how to that that profile reloaded, so I rebooted,
and after the reboot tor does start up successfully. "systemctl
tor@default" reports it as running.
I haven't checked to see if only one or other rule is actually
required.
Importance -> High since this bug makes the package unusable in its
default configuration on Zesty. Since the AppArmor profile comes from
Debian's 0.2.9.9-1, this should probably be fixed in Debian.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1670408/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
