Hello knz, or anyone else affected, Accepted apparmor into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.10.95-4ubuntu5.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Also affects: ntp (Ubuntu Yakkety) Importance: High Assignee: Joshua Powers (powersj) Status: Invalid ** Also affects: apparmor (Ubuntu Yakkety) Importance: High Assignee: Tyler Hicks (tyhicks) Status: Triaged ** Changed in: apparmor (Ubuntu Yakkety) Status: Triaged => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1598759 Title: AppArmor nameservice abstraction doesn't allow communication with systemd-resolved Status in AppArmor: In Progress Status in apparmor package in Ubuntu: Fix Committed Status in ntp package in Ubuntu: Invalid Status in apparmor source package in Yakkety: Fix Committed Status in ntp source package in Yakkety: Invalid Bug description: [ Impact ] Processes confined by AppArmor profiles making use of the nameservice AppArmor abstraction are unable to access the systemd-resolved network name resolution service. The nsswitch.conf file shipped in Yakkety puts the nss-resolve plugin to use which talks to systemd-resolved over D-Bus. The D-Bus communication is blocked for the confined processes described above and those processes will fallback to the traditional means of name resolution. [ Test Case ] * Use ntpd to test: $ sudo apt-get install -y ntp ... $ sudo systemctl stop ntp # in another terminal, watch for AppArmor denials $ dmesg -w # in the original terminal, start ntp $ sudo systemctl start ntp # You'll see a number of denials on the system_bus_socket file: audit: type=1400 audit(1476240762.854:35): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=3867 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=126 ouid=0 * Use tcpdump to test: # Capture traffic on whichever network interface you're currently using $ sudo tcpdump -i eth0 # Look in /var/log/syslog for denials on the system_bus_socket file: audit: type=1400 audit(1476240896.021:40): apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump" name="/run/dbus/system_bus_socket" pid=4106 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 In both situations, ntpd and tcpdump will seemingly work as expected due to the name resolution fallback configured in nsswitch.conf. However, neither confined process will be using systemd-resolved for name resolution. [ Regression Potential ] This fix will allow ntp, tcpdump, cupsd, dhclient, and other confined- by-default programs to start using systemd-resolved. There is some potential for regression since those applications have not been previously using systemd-resolved. [ Original bug description ] On this plain install of Xenial apparmor complains about ntpd: [ 19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.426246] audit: type=1400 audit(1467623333.434:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.771326] audit: type=1400 audit(1467623333.782:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the problem: #include <abstractions/dbus-strict> To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1598759/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
