isc-dhcp-client denied by apparmor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
isc-dhcp (Ubuntu) |
Fix Released
|
Medium
|
Lukas Märdian | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Medium
|
Lukas Märdian |
Bug Description
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(165580456
[ 7.402768] audit: type=1400 audit(165580456
[Test Plan]
$ apt install network-manager
$ netplan set "network.
$ netplan get
network:
version: 2
renderer: NetworkManager
ethernets:
enp5s0:
dhcp4: true
$ mkdir /etc/NetworkMan
$ cat /etc/NetworkMan
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.
$ netplan apply
$ dmesg | grep dhclient
$ reboot
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there, especially not after a reboot
$ ip addr
[...]
2: enp5s0: <BROADCAST,
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a dynamic IP address got assigned via DHCP
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https:/
* The 2nd fix for "/run/NetworkMa
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(161536709
This might or might not be linked with the fact that I can't get an IPv4 on this interface. Note that it happened to other, see this comment:
https:/
Or even an article recommending disabling apparmor for dhclient(!):
https:/
As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/
) = -1 EACCES (Permission non accordée)
tags: | added: focal |
Changed in isc-dhcp (Ubuntu): | |
status: | Confirmed → Triaged |
importance: | Undecided → Medium |
tags: | added: hirsute |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in isc-dhcp (Ubuntu Kinetic): | |
status: | Triaged → Fix Committed |
assignee: | nobody → Lukas Märdian (slyon) |
Changed in isc-dhcp (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in isc-dhcp (Ubuntu Impish): | |
status: | New → In Progress |
Changed in isc-dhcp (Ubuntu Focal): | |
status: | New → In Progress |
I forgot to add that this is an up-to-date Ubuntu 20.04.2