Bug#881460: [pkg-apparmor] Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP
Hi Lorenzo, Lorenzo Ancora: > I've created a patch to resolve this bug. Please see https://bugs.debian.org/881460#10 and follow-ups for options that are probably better than patching this profile. Now, if for some reason you really want to base your work on this version of the dhclient profile, please submit a MR upstream: https://gitlab.com/apparmor/apparmor. Thanks in advance! Thankfully the changes in Buster will make it much less confusing (and to start with, less likely that one gets the wrong idea about the expectations they can realistically have about the apparmor-profiles package :) Cheers, -- intrigeri
Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP
Package: apparmor-profiles Version: 2.13.1-3 Followup-For: Bug #881460 I've created a patch to resolve this bug. After applying the patch you should link/copy the profile to /etc/apparmor.d, enforce the profile again (the kernel ring buffer will show a STATUS message) and restart NetworkManager. --- /usr/share/apparmor/extra-profiles/sbin.dhclient2019-01-05 01:06:40.237744708 +0100 +++ /usr/share/apparmor/extra-profiles/sbin.dhclient2019-01-05 01:14:07.325115590 +0100 @@ -51,6 +51,7 @@ /usr/bin/vmstat mrix, /usr/bin/w mrix, /usr/lib/nm-dhcp-helper rix, + /usr/lib/NetworkManager/nm-dhcp-helper rix, /var/lib/dhcp/dhclient.leases rw, /var/lib/dhcp/dhclient-*.leases rw, /var/lib/dhcp6/dhclient.leasesrw,
Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP
Package: apparmor-profiles Version: 2.13.1-3 Followup-For: Bug #881460 I've created a patch to resolve this bug. After applying the patch you should link/copy the profile to /etc/apparmor.d, enforce the profile again (the kernel ring buffer will show a STATUS message) and restart NetworkManager. --- /usr/share/apparmor/extra-profiles/sbin.dhclient2019-01-05 01:06:40.237744708 +0100 +++ /usr/share/apparmor/extra-profiles/sbin.dhclient2019-01-05 01:14:07.325115590 +0100 @@ -51,6 +51,7 @@ /usr/bin/vmstat mrix, /usr/bin/w mrix, /usr/lib/nm-dhcp-helper rix, + /usr/lib/NetworkManager/nm-dhcp-helper rix, /var/lib/dhcp/dhclient.leases rw, /var/lib/dhcp/dhclient-*.leases rw, /var/lib/dhcp6/dhclient.leasesrw,
Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP
Hi, Gabriel Filion: > intrigeri: > thanks for the super clear explanation for changing the status :) :) >> If you came across instructions that told you to enforce such profiles >> and that did not point you to the aforementioned warning, then I'm >> very sorry! I'll treat this as a RC bug. Please point me to that doc >> and I'll fix it ASAP. Thanks in advance! > fwiw I was following mainly the debian wiki pages about apparmor. I > remember reading the advisory, but for some reason I didn't keep the > information that "the profiles might not work with default > configurations" when reading. probably some level of confusion on my part. I see, I guess this is: https://wiki.debian.org/AppArmor/HowToUse#Enable_.2F_install_more_profiles IIRC I recently updated it to make the warning more visible and clearer. It might that it used to be much less scary when you read it initially. >> The good news is that there is a dhclient profile available elsewhere, >> that works way better on Debian: see #795467. > ok I can see that it looks like the proposed profile for isc-dhcp-client > is the one from ubuntu. still no reply from debian packagers about this > though, two years later. > what approach should we take here in order to get things going? do you > think that having more feedback from ppl who use the profile > successfully would help to get that merged in, or do you suspect it > might just be lack of available time or interest from package maintainers? I think the added value of shipping AppArmor profiles was pretty low 2 years ago, as AppArmor was not enabled by default. So I totally understand maintainers treating it as very low priority. This is being changed in testing/sid though. So I would go back to the maintainers a couple months after AppArmor is enabled by default, and our case will be much stronger then. But really, right now I'm not into adding new profiles: I'd rather polish the existing ones and handle bug reports about them, to make the "enabling AppArmor by default" experience as smooth as possible. > also, maybe if we can get more ppl to test ubuntu's profile in debian, > then they'd be willing to upstream it in apparmor? That's a possibility. Or, we upstream it ourselves. Cheers, -- intrigeri
Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP
intrigeri: > Let's sort this out first as there seems to be a misunderstanding. > IMO this bug is not RC because: > > 1. The profile this bug report is about is not enforced by default; >it's not even shipped in /etc/apparmor.d. It takes 2 manual steps >to enforce it, so thankfully, we're far from shipping a broken >default configuration :) oh! you're totally right! I don't remember enabling the profile but I was just blindly finding my way around to understand apparmor in the recent days. thanks for the super clear explanation for changing the status :) > If you came across instructions that told you to enforce such profiles > and that did not point you to the aforementioned warning, then I'm > very sorry! I'll treat this as a RC bug. Please point me to that doc > and I'll fix it ASAP. Thanks in advance! fwiw I was following mainly the debian wiki pages about apparmor. I remember reading the advisory, but for some reason I didn't keep the information that "the profiles might not work with default configurations" when reading. probably some level of confusion on my part. >> and when I rebooted to activate the kernel part, I didn't notice the >> issue below.. but a couple reboots afterwards I couldn't obtain >> a DHCP address anymore for wired and wifi interfaces. > > Thanks for reporting this. I'm sorry this profile broke an essential > part of your system. I'm not surprised though: to the best of my > knowledge, nobody is actively using this profile on, and maintaining > this profile for, Debian. Quite some paths in it don't match where > things are shipped in Debian. This is why we don't enable this profile > by default. well I guess that my report confirms that the current profile in apparmor-profiles-extra is somewhat broken. (it's still intriguing why it was working for some time and then stopped working.. but I'd have to repeat in order to figure out why. my time is probably better spent on testing this other profile you mentioned) > The good news is that there is a dhclient profile available elsewhere, > that works way better on Debian: see #795467. ok I can see that it looks like the proposed profile for isc-dhcp-client is the one from ubuntu. still no reply from debian packagers about this though, two years later. what approach should we take here in order to get things going? do you think that having more feedback from ppl who use the profile successfully would help to get that merged in, or do you suspect it might just be lack of available time or interest from package maintainers? also, maybe if we can get more ppl to test ubuntu's profile in debian, then they'd be willing to upstream it in apparmor? Cheers signature.asc Description: OpenPGP digital signature
Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP
Control: severity -1 minor Control: tag -1 + upstream Dear Gabriel, Gabriel Filion: > Severity: critical > Justification: breaks unrelated software Let's sort this out first as there seems to be a misunderstanding. IMO this bug is not RC because: 1. The profile this bug report is about is not enforced by default; it's not even shipped in /etc/apparmor.d. It takes 2 manual steps to enforce it, so thankfully, we're far from shipping a broken default configuration :) 2. This profile is shipped in a directory whose README says: The profiles in this directory are not turned on by default because they are not as mature as the profiles in /etc/apparmor.d/. In some cases, it is because the profile hasn't been updated to work with newer code; in other cases, it because any benefit provided by the profile is much less than the potential for causing problems. In short, feel free to try these profiles if you wish, but be aware that they may not work on default configurations, let alone your specific configuration. If you came across instructions that told you to enforce such profiles and that did not point you to the aforementioned warning, then I'm very sorry! I'll treat this as a RC bug. Please point me to that doc and I'll fix it ASAP. Thanks in advance! > I've started using apparmor very recently, Cool, thanks a lot :) > and when I rebooted to activate the kernel part, I didn't notice the > issue below.. but a couple reboots afterwards I couldn't obtain > a DHCP address anymore for wired and wifi interfaces. Thanks for reporting this. I'm sorry this profile broke an essential part of your system. I'm not surprised though: to the best of my knowledge, nobody is actively using this profile on, and maintaining this profile for, Debian. Quite some paths in it don't match where things are shipped in Debian. This is why we don't enable this profile by default. The good news is that there is a dhclient profile available elsewhere, that works way better on Debian: see #795467. The bad news is that the current situation is very confusing. One might expect that Ubuntu, as the main contributor to AppArmor upstream, would keep the upstream profile in sync' with what they are shipping in their distro, but it's not the case currently; there are probably historical reasons for it and I understand it may not be high on the priority list at the moment since they have something that works fine for them. Ideally, someone would upstream the (upstream - Ubuntu profile) delta. And then we can decide whether we ship it via isc-dhcp-client (synchronizing it regularly from src:apparmor) or in the apparmor-profiles package. Cheers, -- intrigeri
Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP
Package: apparmor-profiles Version: 2.11.1-3 Severity: critical Justification: breaks unrelated software Hello, I've started using apparmor very recently, and when I rebooted to activate the kernel part, I didn't notice the issue below.. but a couple reboots afterwards I couldn't obtain a DHCP address anymore for wired and wifi interfaces. >From what I could see, when dhclient6 gets called by network-manager, this program gets denied a bunch of operations which makes it not do what it's supposed to and just exit. The weird part that I don't understand yet is that I don't think I've installed or upgraded anything else since I enabled apparmor (so why didn't I see this in a more consistent manner?). In the syslog I found the following log lines that are relevant: Nov 11 16:53:14 boohn kernel: [ 15.622076] audit: type=1400 audit(1510437193.949:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="dhclient" pid=620 comm="apparmor_parser" Nov 11 16:53:20 boohn NetworkManager[678]: [1510437200.9563] dhcp-init: Using DHCP client 'dhclient' Nov 11 16:53:24 boohn NetworkManager[678]: [1510437204.1739] dhcp4 (eth0): dhclient started with pid 1184 Nov 11 16:53:24 boohn dhclient[1185]: execve (/usr/lib/NetworkManager/nm-dhcp-helper, ...): Permission denied Nov 11 16:53:24 boohn kernel: [ 25.862578] audit: type=1400 audit(1510437204.189:74): apparmor="DENIED" operation="exec" profile="dhclient" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1185 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Nov 11 16:53:24 boohn dhclient[1184]: DHCPREQUEST of 192.168.2.243 on eth0 to 255.255.255.255 port 67 Nov 11 16:53:24 boohn dhclient[1184]: DHCPNAK from 192.168.2.1 Nov 11 16:53:24 boohn dhclient[1186]: execve (/usr/lib/NetworkManager/nm-dhcp-helper, ...): Permission denied Nov 11 16:53:24 boohn kernel: [ 25.887214] audit: type=1400 audit(1510437204.214:75): apparmor="DENIED" operation="exec" profile="dhclient" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1186 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Nov 11 16:53:24 boohn kernel: [ 25.887967] audit: type=1400 audit(1510437204.215:76): apparmor="DENIED" operation="exec" profile="dhclient" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1187 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Nov 11 16:53:24 boohn dhclient[1187]: execve (/usr/lib/NetworkManager/nm-dhcp-helper, ...): Permission denied Nov 11 16:53:24 boohn dhclient[1184]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 Nov 11 16:53:24 boohn dhclient[1184]: DHCPREQUEST of 192.168.2.233 on eth0 to 255.255.255.255 port 67 Nov 11 16:53:24 boohn dhclient[1184]: DHCPOFFER of 192.168.2.233 from 192.168.2.1 Nov 11 16:53:24 boohn dhclient[1184]: DHCPACK of 192.168.2.233 from 192.168.2.1 Nov 11 16:53:24 boohn dhclient[1188]: execve (/usr/lib/NetworkManager/nm-dhcp-helper, ...): Permission denied Nov 11 16:53:24 boohn kernel: [ 25.894073] audit: type=1400 audit(1510437204.221:77): apparmor="DENIED" operation="exec" profile="dhclient" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1188 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Nov 11 16:53:24 boohn dhclient[1184]: bound to 192.168.2.233 -- renewal in 37728 seconds. Nov 11 16:53:26 boohn NetworkManager[678]: [1510437206.3351] dhcp6 (eth0): dhclient started with pid 1189 Nov 11 16:53:26 boohn kernel: [ 28.012088] audit: type=1400 audit(1510437206.339:78): apparmor="DENIED" operation="open" profile="dhclient" name="/var/lib/NetworkManager/dhclient6-eth0.conf" pid=1189 comm="dhclient" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 11 16:53:26 boohn kernel: [ 28.012098] audit: type=1400 audit(1510437206.339:79): apparmor="DENIED" operation="open" profile="dhclient" name="/var/lib/NetworkManager/dhclient6-b63c69a8-9bf3-4eef-9610-09eee2527a06-eth0.lease" pid=1189 comm="dhclient" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 11 16:53:26 boohn kernel: [ 28.012104] audit: type=1400 audit(1510437206.339:80): apparmor="DENIED" operation="open" profile="dhclient" name="/var/lib/NetworkManager/dhclient6-b63c69a8-9bf3-4eef-9610-09eee2527a06-eth0.lease" pid=1189 comm="dhclient" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0 Nov 11 16:53:26 boohn dhclient[1189]: can't create /var/lib/NetworkManager/dhclient6-b63c69a8-9bf3-4eef-9610-09eee2527a06-eth0.lease: Permission denied Nov 11 16:53:26 boohn dhclient[1190]: execve (/usr/lib/NetworkManager/nm-dhcp-helper, ...): Permission denied Nov 11 16:53:26 boohn dhclient[1189]: Created duid "\000\001\000\001!\232-\326\360\336\361+\253L". Nov 11 16:53:26 boohn dhclient[1189]: can't create /var/lib/NetworkManager/dhclient6-b63c69a8-9bf3-4eef-9610-09eee2527a06-eth0.lease: Permission denied Nov 11 16:53:26 boohn dhclient[1189]: Can't create /run/dhclient6-eth0.pid: Permission denied Nov 11 16:53:26 boohn kernel: [ 28.012575] audit: type=1400
