AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Triaged
|
High
|
Unassigned | ||
apparmor (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks | ||
Yakkety |
Fix Released
|
High
|
Tyler Hicks | ||
ntp (Ubuntu) |
Invalid
|
High
|
Joshua Powers | ||
Yakkety |
Invalid
|
High
|
Joshua Powers |
Bug Description
[ Impact ]
Processes confined by AppArmor profiles making use of the nameservice AppArmor abstraction are unable to access the systemd-resolved network name resolution service. The nsswitch.conf file shipped in Yakkety puts the nss-resolve plugin to use which talks to systemd-resolved over D-Bus. The D-Bus communication is blocked for the confined processes described above and those processes will fallback to the traditional means of name resolution.
[ Test Case ]
* Use ntpd to test:
$ sudo apt-get install -y ntp
...
$ sudo systemctl stop ntp
# in another terminal, watch for AppArmor denials
$ dmesg -w
# in the original terminal, start ntp
$ sudo systemctl start ntp
# You'll see a number of denials on the system_bus_socket file:
audit: type=1400 audit(147624076
* Use tcpdump to test:
# Capture traffic on whichever network interface you're currently using
$ sudo tcpdump -i eth0
# Look in /var/log/syslog for denials on the system_bus_socket file:
audit: type=1400 audit(147624089
In both situations, ntpd and tcpdump will seemingly work as expected due to the name resolution fallback configured in nsswitch.conf. However, neither confined process will be using systemd-resolved for name resolution.
[ Regression Potential ]
This fix will allow ntp, tcpdump, cupsd, dhclient, and other confined-by-default programs to start using systemd-resolved. There is some potential for regression since those applications have not been previously using systemd-resolved.
[ Original bug description ]
On this plain install of Xenial apparmor complains about ntpd:
[ 19.379152] audit: type=1400 audit(146762333
[ 20.379299] audit: type=1400 audit(146762333
[ 22.426246] audit: type=1400 audit(146762333
[ 22.771326] audit: type=1400 audit(146762333
[ 23.568548] audit: type=1400 audit(146762333
Adding the following line to /etc/apparmor.
#include <abstractions/
summary: |
- missing apparmor definition for ntpd + incomplete apparmor definition for ntpd |
Changed in ntp (Ubuntu): | |
importance: | Undecided → High |
tags: | added: bitesize |
Changed in ntp (Ubuntu): | |
assignee: | nobody → Joshua Powers (powersj) |
Changed in apparmor (Ubuntu): | |
importance: | Undecided → High |
description: | updated |
tags: | added: aa-policy |
Changed in apparmor: | |
status: | Triaged → Fix Released |
Seeing this problem now with apparmor 2.10.95-4ubuntu3 on yakkety
kernel: [ 38.160420] audit: type=1400 audit(147020477 3.635:27) : apparmor="DENIED" operation="connect" profile= "/usr/sbin/ ntpd" name="/ run/dbus/ system_ bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0 4.551:28) : apparmor="DENIED" operation="connect" profile= "/usr/sbin/ ntpd" name="/ run/dbus/ system_ bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0 5.551:29) : apparmor="DENIED" operation="connect" profile= "/usr/sbin/ ntpd" name="/ run/dbus/ system_ bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0 6.560:30) : apparmor="DENIED" operation="connect" profile= "/usr/sbin/ ntpd" name="/ run/dbus/ system_ bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0 8.059:31) : apparmor="DENIED" operation="connect" profile= "/usr/sbin/ ntpd" name="/ run/dbus/ system_ bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0 8.075:32) : apparmor="DENIED" operation="connect" profile= "/usr/sbin/ ntpd" name="/ run/dbus/ system_ bus_socket" pid=2706 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=118 ouid=0
kernel: [ 39.076124] audit: type=1400 audit(147020477
kernel: [ 40.076112] audit: type=1400 audit(147020477
kernel: [ 41.084971] audit: type=1400 audit(147020477
kernel: [ 42.097404] audit: type=1400 audit(147020477
kernel: [ 42.113042] audit: type=1400 audit(147020477