Hi,
/etc/apparmor.d/usr.sbin.chronyd has
#include <abstractions/nameservice>
And thereby should have:
/etc/apparmor.d/abstractions/nameservice: #include <abstractions/mdns>
Which in turn defines:
/etc/apparmor.d/abstractions/mdns: # mdnsd
/etc/apparmor.d/abstractions/mdns: /etc/nss_mdns.conf r,
/etc/apparmor.d/abstractions/mdns: /{,var/}run/mdnsd w,
There is no mdns.allow but if that is a common thing for mdns we should add the
rule.
The file belongs to apparmor itself and I think that abstraction would need a
fix:
apparmor: /etc/apparmor.d/abstractions/mdns
It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow
Therefore this bug IMHO is actually: "please add /etc/mdns.allow to
/etc/apparmor.d/abstractions/mdns"
I'll modify it accordingly, but please speak up if you disagree.
Since this potentially hits any apparmor isolated application using
nameservices I'd mark it as critical until the security Team explains
why it is not. OTOH such a one line addition should be easily done in
apparmor.
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- AppArmor denied access to /etc/mdns.allow to cronyd
+ please add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
** Changed in: apparmor (Ubuntu)
Importance: Undecided => Critical
** Changed in: chrony (Ubuntu)
Status: New => Invalid
** Description changed:
+ In focal users of mdns get denials in apparmor confined applications.
+ An exampel can be found in the original bug below.
+
+ It seems it is a common pattern, see
+ https://github.com/lathiat/nss-mdns#etcmdnsallow
+
+ Therefore I'm asking to add
+ /etc/mdns.allow r,
+ to the file
+ /etc/apparmor.d/abstractions/mdns"
+ by default.
+
+ --- original bug ---
+
Many repetitions of
audit: type=1400 audit(1585517168.705:63): apparmor="DENIED"
operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow"
pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123
ouid=0
in log. I use libnss-mdns for .local name resolution, so
/etc/nsswitch.conf contains
hosts: files mdns [NOTFOUND=return] myhostname dns
and /etc/mnds.allow contains the domains to resolve with mDNS (in may
case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)
Presumably cronyd calls a gethostbyX() somewhere, thus eventually
trickling down through the name service switch and opening
/etc/mdns.allow, which the AppArmor profile in the chrony package does
not allow.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: chrony 3.5-6ubuntu1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Sun Mar 29 15:02:39 2020
InstallationDate: Installed on 2020-03-26 (3 days ago)
InstallationMedia: Xubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200326)
ProcEnviron:
- TERM=xterm-256color
- PATH=(custom, no user)
- XDG_RUNTIME_DIR=<set>
- LANG=en_US.UTF-8
- SHELL=/bin/bash
+ TERM=xterm-256color
+ PATH=(custom, no user)
+ XDG_RUNTIME_DIR=<set>
+ LANG=en_US.UTF-8
+ SHELL=/bin/bash
SourcePackage: chrony
UpgradeStatus: No upgrade log present (probably fresh install)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1869629
Title:
please add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns
Status in apparmor package in Ubuntu:
New
Status in chrony package in Ubuntu:
Invalid
Bug description:
In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.
It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow
Therefore I'm asking to add
/etc/mdns.allow r,
to the file
/etc/apparmor.d/abstractions/mdns"
by default.
--- original bug ---
Many repetitions of
audit: type=1400 audit(1585517168.705:63): apparmor="DENIED"
operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow"
pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r"
fsuid=123 ouid=0
in log. I use libnss-mdns for .local name resolution, so
/etc/nsswitch.conf contains
hosts: files mdns [NOTFOUND=return] myhostname dns
and /etc/mnds.allow contains the domains to resolve with mDNS (in may
case, "local." and "local"; see /usr/share/doc/libnss-
mdns/README.html.)
Presumably cronyd calls a gethostbyX() somewhere, thus eventually
trickling down through the name service switch and opening
/etc/mdns.allow, which the AppArmor profile in the chrony package does
not allow.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: chrony 3.5-6ubuntu1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Sun Mar 29 15:02:39 2020
InstallationDate: Installed on 2020-03-26 (3 days ago)
InstallationMedia: Xubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200326)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: chrony
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
