[apparmor] missing 'mr' on binary for usage on containers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rsyslog (Ubuntu) |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
Bionic |
Won't Fix
|
Low
|
Unassigned | ||
Disco |
Won't Fix
|
Low
|
Unassigned | ||
Eoan |
Won't Fix
|
Low
|
Unassigned |
Bug Description
[Impact]
* rsyslog ships with a (Default disable) apparmor profile.
* Security sensitive users are in general encouraged to enable such
profiles but unfortunately due to slightly new behavior of the program
the profile prevents its usage.
* Allow the program to map/read its binary to get this working again
[Test Case]
1) Create a 'eoan' container called rs1 here:
lxc launch ubuntu-daily:e rs1
2) Enter the container
lxc shell rs1
3) Enable apparmor profile
rm /etc/apparmor.
apparmor_parser -r -T -W /etc/apparmor.
systemctl restart rsyslog
4) notice rsyslog failed to start
systemctl status rsyslog
[Regression Potential]
* This is just opening up the apparmor profile a bit. Therefore the only
regression it could cause IMHO is a security issue. But then what it
actually allows is reading (not writing!) its own binary which should
be very safe.
* Thinking further it came to my mind that package updates (independent
to the change) might restart services and that means if there is any
issue e.g. in a local config that worked but now fails (not by this
change but in general) then the upgrade will not cause, but trigger
this. This is a general regression risk for any upload, but in this
case worth to mention as it is about log handling - which if broken -
makes large scale systems hard to debug.
[Other Info]
* n/a
---
Issue description:
Enabling the rsyslog (disabled by default) Apparmor profile causes rsyslog to fail to start when running *inside a container*.
Steps to reproduce:
1) Create a 'eoan' container called rs1 here:
lxc launch ubuntu-daily:e rs1
2) Enter the container
lxc shell rs1
3) Enable apparmor profile
rm /etc/apparmor.
apparmor_parser -r -T -W /etc/apparmor.
systemctl restart rsyslog
4) notice rsyslog failed to start
systemctl status rsyslog
Workaround:
echo ' /usr/sbin/rsyslogd mr,' >> /etc/apparmor.
apparmor_parser -r -T -W /etc/apparmor.
systemctl restart rsyslog
Additional information:
root@rs1:~# uname -a
Linux rs1 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root@rs1:~# lsb_release -rd
Description: Ubuntu Eoan EANIMAL (development branch)
Release: 19.10
root@rs1:~# dpkg -l| grep -wE 'apparmor|rsyslog'
ii apparmor 2.13.2-9ubuntu6 amd64 user-space parser utility for AppArmor
ii rsyslog 8.32.0-1ubuntu7 amd64 reliable system and kernel logging daemon
ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: rsyslog 8.32.0-1ubuntu7
ProcVersionSign
Uname: Linux 4.15.0-48-generic x86_64
ApportVersion: 2.20.10-0ubuntu27
Architecture: amd64
Date: Wed May 1 17:36:29 2019
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: rsyslog
UpgradeStatus: No upgrade log present (probably fresh install)
Related branches
- Lucas Kanashiro (community): Approve
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 1546 lines (+1207/-48)14 files modifieddebian/00rsyslog.conf (+12/-0)
debian/50-default.conf (+48/-0)
debian/changelog (+987/-0)
debian/clean (+6/-0)
debian/control (+7/-3)
debian/dmesg.service (+12/-0)
debian/rsyslog.conf (+10/-43)
debian/rsyslog.dirs (+4/-0)
debian/rsyslog.install (+4/-1)
debian/rsyslog.postinst (+22/-0)
debian/rsyslog.postrm (+13/-0)
debian/rsyslog.preinst (+15/-0)
debian/rules (+8/-1)
debian/usr.sbin.rsyslogd (+59/-0)
- Rafael David Tinoco (community): Approve
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 28 lines (+9/-0)2 files modifieddebian/changelog (+8/-0)
debian/usr.sbin.rsyslogd (+1/-0)
- Rafael David Tinoco (community): Approve
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 28 lines (+9/-0)2 files modifieddebian/changelog (+8/-0)
debian/usr.sbin.rsyslogd (+1/-0)
CVE References
tags: | added: server-next |
Changed in rsyslog (Ubuntu): | |
status: | New → In Progress |
description: | updated |
Changed in rsyslog (Ubuntu): | |
status: | Fix Released → In Progress |
Changed in rsyslog (Ubuntu Eoan): | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in rsyslog (Ubuntu Bionic): | |
status: | Triaged → Fix Released |
Changed in rsyslog (Ubuntu Disco): | |
status: | Triaged → Fix Released |
Changed in rsyslog (Ubuntu Eoan): | |
status: | Triaged → In Progress |
Changed in rsyslog (Ubuntu Disco): | |
status: | Fix Released → In Progress |
Changed in rsyslog (Ubuntu Bionic): | |
status: | Fix Released → In Progress |
This actually is a perfect bug:
- simple case
- solution on a silver plate
- only changing d/* content
- already ubuntu Delta
I feel bad that this hung around so log, but today I saw it and gave it a review.
This is building in Eoan now.