Public bug reported:
# Description
On a default Focal install, systemd is used when looking up passwd and
group information:
# grep systemd /etc/nsswitch.conf
passwd: files systemd
group: files systemd
Daemons confined by Apparmor that also query those "databases" will
cause this Apparmor denial:
audit: type=1400 audit(1586825456.411:247): apparmor="DENIED"
operation="open" namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>"
profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id"
pid=7370 comm="named" requested_mask="r" denied_mask="r" fsuid=1000000
ouid=1000000
Many daemons confined by Apparmor also happen to downgrade their
privileges so they always end up looking up user/group information.
# Steps to reproduce
1) launch a Focal container (named fb1 here)
$ lxc launch images:ubuntu/focal fb1
2) setup apparmor inside the container (already done on official Ubuntu images)
$ lxc exec fb1 -- apt update && lxc exec fb1 -- apt install apparmor -y
3) install bind9
$ lxc exec fb1 -- apt install bind9 -y
4) check kernel logs for DENIED
$ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F
'profile="/usr/sbin/named"'
Step 4, should not return anything. Because systemd is involved in the
user/group lookups, it currently returns the following:
audit: type=1400 audit(1586826072.115:266): apparmor="DENIED" operation="open"
namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named"
name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
audit: type=1400 audit(1586826072.115:267): apparmor="DENIED" operation="open"
namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named"
name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
audit: type=1400 audit(1586826072.115:268): apparmor="DENIED" operation="open"
namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named"
name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
audit: type=1400 audit(1586826072.115:269): apparmor="DENIED" operation="open"
namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named"
name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
audit: type=1400 audit(1586826072.115:270): apparmor="DENIED" operation="open"
namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named"
name="/proc/sys/kernel/random/boot_id" pid=13756 comm="named"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
# Workaround
1) remove systemd from nsswitch.conf
$ lxc exec fb1 -- sed -i 's/ systemd$/ # systemd/' /etc/nsswitch.conf
2) restart named
$ lxc exec fb1 -- service named restart
3) notice no more denials in kernel logs
# Additional information
root@fb1:~# apt-cache policy apparmor
apparmor:
Installed: 2.13.3-7ubuntu4
Candidate: 2.13.3-7ubuntu4
Version table:
*** 2.13.3-7ubuntu4 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
root@fb1:~# uname -a
Linux fb1 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020
x86_64 x86_64 x86_64 GNU/Linux
root@fb1:~# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1872564
Title:
/proc/sys/kernel/random/boot_id rule missing from
abstractions/nameservice
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
