Re: [apparmor] [PATCH] mdns: Allow reading /etc/mdns.allow

[Christian Boltz]

Hello,

Am Dienstag, 7. April 2020, 18:22:10 CEST schrieb Goldwyn Rodrigues:
> This is for custom configuration for mdns as defined at:
> https://github.com/lathiat/nss-mdns/blob/master/README.md#etcmdnsallow
> 
> Signed-off-by: Goldwyn Rodrigues <rgold...@suse.com>
> 
> diff --git a/profiles/apparmor.d/abstractions/mdns
> b/profiles/apparmor.d/abstractions/mdns index 2aa6fff2..9102d27e
> 100644
> --- a/profiles/apparmor.d/abstractions/mdns
> +++ b/profiles/apparmor.d/abstractions/mdns
> @@ -11,6 +11,7 @@
>    # mdnsd
>    /etc/nss_mdns.conf r,
>    /{,var/}run/mdnsd w,
> +  /etc/mdns.allow r,

You are late - this was already added a week ago ;-)


commit eeac8c11c935edf9eea2bed825af6c57e9fb52e3 (HEAD -> master, origin/master, 
origin/HEAD)
Author: Rich McAllister <Nopublic@address.provided>
Date:   Tue Mar 31 21:01:21 2020 -0700

    abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns

    In focal users of mdns get denials in apparmor confined applications.
    An exampel can be found in the original bug below.

    It seems it is a common pattern, see
    https://github.com/lathiat/nss-mdns#etcmdnsallow

    Therefore I'm asking to add
       /etc/mdns.allow r,
    to the file
       /etc/apparmor.d/abstractions/mdns"
    by default.

    --- original bug ---

    Many repetitions of

    audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 
comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0

    in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf 
contains

    hosts: files mdns [NOTFOUND=return] myhostname dns

    and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, 
"local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)

    Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling 
down through the name service switch and opening /etc/mdns.allow, which the 
AppArmor profile in the chrony package does not allow.

    Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629
    Signed-off-by: John Johansen <john.johan...@canonical.com>

diff --git a/profiles/apparmor.d/abstractions/mdns 
b/profiles/apparmor.d/abstractions/mdns
index 6cd842cf..89b199be 100644
--- a/profiles/apparmor.d/abstractions/mdns
+++ b/profiles/apparmor.d/abstractions/mdns
@@ -9,6 +9,7 @@
 # ------------------------------------------------------------------

   # mdnsd
+  /etc/mdns.allow r,
   /etc/nss_mdns.conf r,
   @{run}/mdnsd w,



Regards,

Christian Boltz
-- 
Mein Name ist Ratti. Ich bin heute Abend hier hergekommen, weil ich ein
Problem habe, über das ich gerne sprechen würde.
Ich arbeite seit längerer Zeit mit Linux und habe noch niemals einen
Kernel kompiliert. Ich schäme mich deswegen sehr. [Ratti in suse-linux]

signature.asc
Description: This is a digitally signed message part.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor