[Bug 1792728] Re: [apparmor] allow reading squid binary
This bug was fixed in the package squid3 - 3.5.27-1ubuntu1.1 --- squid3 (3.5.27-1ubuntu1.1) bionic; urgency=medium [ Simon Deziel ] * d/usr.sbin.squid: Update apparmor profile to grant read access to squid binary (LP: #1792728) -- Christian Ehrhardt Fri, 28 Sep 2018 09:09:50 +0200 ** Changed in: squid3 (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
Verification with bionic-proposed's version 3.5.27-1ubuntu1.1 went well. Thanks! ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
Hello Simon, or anyone else affected, Accepted squid3 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: squid3 (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
Uploaded to bionic-proposed, waiting for SRU team approval. ** Changed in: squid3 (Ubuntu Bionic) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to squid3 in Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1792728/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
Uploaded to bionic-proposed, waiting for SRU team approval. ** Changed in: squid3 (Ubuntu Bionic) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
Thanks for the template and the PPA build for Bionic. 3.5.27-1ubuntu1.1 from the PPA tested fine. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
I carried your change between the repos (it is a trivial change after all) and opened an MP for it. => https://code.launchpad.net/~paelzer/ubuntu/+source/squid3/+git/squid3/+merge/355816 ** Description changed: + [Impact] + + * Squid ships with a (default disable) apparmor profile + + * In the current configuration this is blocking squid from working +correctly (profile was created for an older version) + + * But the access that breaks it is not security critical and can be +allowed, so the fix is adapting the profile to do so. + + [Test Case] + + * See the nice "steps to reproduce" just below added by the reporter + when filing the bug initially + + [Regression Potential] + + * Opening up an apparmor rule ever so slightly, I can't see a +reasonable regression potential doing so. + + [Other Info] + + * n/a + + --- + Problem description: Running squid in a container with a host using Bionic's kernel fails if squid's apparmor profile is enabled. The denial messages is: Sep 15 13:28:34 simon-laptop kernel: audit: type=1400 audit(1537032514.528:312): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-foo_" profile="/usr/sbin/squid" name="/usr/sbin/squid" pid=12177 comm="squid" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 - Steps to reproduce: Create a container named foo: $ lxc launch ubuntu-daily:cosmic foo Install squid: $ lxc exec foo -- apt-get install -y squid Confirm it's running fine: $ lxc exec foo -- ps aux| grep squid root 1012 0.0 0.0 68120 2320 ?Ss 17:46 0:00 /usr/sbin/squid -YC -f /etc/squid/squid.conf proxy 1015 0.0 0.0 108236 22068 ?S17:46 0:00 (squid-1) -YC -f /etc/squid/squid.conf proxy 1022 0.0 0.0 5736 1352 ?S17:46 0:00 (logfile-daemon) /var/log/squid/access.log Enable Apparmor profile (disabled by default): $ lxc exec foo -- rm /etc/apparmor.d/disable/usr.sbin.squid $ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.squid $ lxc exec foo -- service squid restart Check if squid is still running: $ lxc exec foo -- ps aux| grep squid - It is not running anymore and looking at the host's journalctl, we see an Apparmor denial message: $ journalctl -o cat -k | tail -n1 audit: type=1400 audit(1537033754.195:348): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-foo_" profile="/usr/sbin/squid" name="/usr/sbin/squid" pid=26039 comm="squid" requested_mask="r" denied_mask="r" fsuid=100 ouid=100 - A workaround is to allow read access to the binary. Workaround: $ lxc exec foo -- sed -i 's/squid ix,$/squid rix,/' /etc/apparmor.d/usr.sbin.squid $ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.squid $ lxc exec foo -- service squid restart Check if squid started fine this time: $ lxc exec foo -- ps aux| grep squid root 1283 0.0 0.0 68120 2320 ?Ss 17:53 0:00 /usr/sbin/squid -YC -f /etc/squid/squid.conf proxy 1285 0.0 0.0 108240 22140 ?S17:53 0:00 (squid-1) -YC -f /etc/squid/squid.conf proxy 1286 0.0 0.0 5736 1304 ?S17:53 0:00 (logfile-daemon) /var/log/squid/access.log - Additional information: $ lxc exec foo -- lsb_release -rd Description: Ubuntu Cosmic Cuttlefish (development branch) Release: 18.10 $ lxc exec foo -- apt-cache policy squid squid: - Installed: 3.5.27-1ubuntu1 - Candidate: 3.5.27-1ubuntu1 - Version table: - *** 3.5.27-1ubuntu1 500 - 500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages - 100 /var/lib/dpkg/status - + Installed: 3.5.27-1ubuntu1 + Candidate: 3.5.27-1ubuntu1 + Version table: + *** 3.5.27-1ubuntu1 500 + 500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages + 100 /var/lib/dpkg/status Note: the problem also exists on Bionic so once Cosmic will be fixed, a SRU to Bionic would be nice. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/squid3/+git/squid3/+merge/355816 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
Also added a SRU Template to fulfill the process along all of this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
Yeah sorry for the delay Simon, due to the hickup of the squid3 fix clashing with the squid4 upload that finally was passing NEW queue and all that this got lost. Yes now'd be a good time to start this. But first lets mark the bug accordingly to its current state. Due to the bug being fixed for src:squid and not the old src:squid3 the update got lost. ** Also affects: squid (Ubuntu) Importance: Undecided Status: New ** Also affects: squid (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: squid3 (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: squid (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: squid3 (Ubuntu Bionic) Importance: Undecided Status: New ** No longer affects: squid (Ubuntu Bionic) ** No longer affects: squid3 (Ubuntu Cosmic) ** Changed in: squid3 (Ubuntu) Status: New => Invalid ** Changed in: squid3 (Ubuntu Bionic) Status: New => Triaged ** Changed in: squid (Ubuntu Cosmic) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
I just confirmed that Cosmic's version works: $ lxc exec foo -- apt-cache policy squid squid: Installed: 4.1-1ubuntu2 Candidate: 4.1-1ubuntu2 Version table: *** 4.1-1ubuntu2 500 500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages 100 /var/lib/dpkg/status @cpaelzer, would now be a good time to start the SRU process to Bionic? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/squid/+git/squid/+merge/355455 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
All the builds failed presumably due to stricter gcc checks [-Werror =class-memaccess]. Let me know if there is anything I should be doing to get this fixed properly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
Thanks Christian, you help is always much appreciated as always! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
Since the profile does not exist in Debian there isn't much upstreaming to do for the time being. We can track migration into cosmic now and then consider an SRU. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1792728] Re: [apparmor] allow reading squid binary
** Merge proposal linked: https://code.launchpad.net/~sdeziel/ubuntu/+source/squid3/+git/squid3/+merge/354989 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs