I carried your change between the repos (it is a trivial change after all) and opened an MP for it. => https://code.launchpad.net/~paelzer/ubuntu/+source/squid3/+git/squid3/+merge/355816
** Description changed: + [Impact] + + * Squid ships with a (default disable) apparmor profile + + * In the current configuration this is blocking squid from working + correctly (profile was created for an older version) + + * But the access that breaks it is not security critical and can be + allowed, so the fix is adapting the profile to do so. + + [Test Case] + + * See the nice "steps to reproduce" just below added by the reporter + when filing the bug initially + + [Regression Potential] + + * Opening up an apparmor rule ever so slightly, I can't see a + reasonable regression potential doing so. + + [Other Info] + + * n/a + + --- + Problem description: Running squid in a container with a host using Bionic's kernel fails if squid's apparmor profile is enabled. The denial messages is: Sep 15 13:28:34 simon-laptop kernel: audit: type=1400 audit(1537032514.528:312): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-foo_<var-snap-lxd-common-lxd>" profile="/usr/sbin/squid" name="/usr/sbin/squid" pid=12177 comm="squid" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000 - Steps to reproduce: Create a container named foo: $ lxc launch ubuntu-daily:cosmic foo Install squid: $ lxc exec foo -- apt-get install -y squid Confirm it's running fine: $ lxc exec foo -- ps aux| grep squid root 1012 0.0 0.0 68120 2320 ? Ss 17:46 0:00 /usr/sbin/squid -YC -f /etc/squid/squid.conf proxy 1015 0.0 0.0 108236 22068 ? S 17:46 0:00 (squid-1) -YC -f /etc/squid/squid.conf proxy 1022 0.0 0.0 5736 1352 ? S 17:46 0:00 (logfile-daemon) /var/log/squid/access.log Enable Apparmor profile (disabled by default): $ lxc exec foo -- rm /etc/apparmor.d/disable/usr.sbin.squid $ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.squid $ lxc exec foo -- service squid restart Check if squid is still running: $ lxc exec foo -- ps aux| grep squid - It is not running anymore and looking at the host's journalctl, we see an Apparmor denial message: $ journalctl -o cat -k | tail -n1 audit: type=1400 audit(1537033754.195:348): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-foo_<var-snap-lxd-common-lxd>" profile="/usr/sbin/squid" name="/usr/sbin/squid" pid=26039 comm="squid" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000 - A workaround is to allow read access to the binary. Workaround: $ lxc exec foo -- sed -i 's/squid ix,$/squid rix,/' /etc/apparmor.d/usr.sbin.squid $ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.squid $ lxc exec foo -- service squid restart Check if squid started fine this time: $ lxc exec foo -- ps aux| grep squid root 1283 0.0 0.0 68120 2320 ? Ss 17:53 0:00 /usr/sbin/squid -YC -f /etc/squid/squid.conf proxy 1285 0.0 0.0 108240 22140 ? S 17:53 0:00 (squid-1) -YC -f /etc/squid/squid.conf proxy 1286 0.0 0.0 5736 1304 ? S 17:53 0:00 (logfile-daemon) /var/log/squid/access.log - Additional information: $ lxc exec foo -- lsb_release -rd Description: Ubuntu Cosmic Cuttlefish (development branch) Release: 18.10 $ lxc exec foo -- apt-cache policy squid squid: - Installed: 3.5.27-1ubuntu1 - Candidate: 3.5.27-1ubuntu1 - Version table: - *** 3.5.27-1ubuntu1 500 - 500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages - 100 /var/lib/dpkg/status - + Installed: 3.5.27-1ubuntu1 + Candidate: 3.5.27-1ubuntu1 + Version table: + *** 3.5.27-1ubuntu1 500 + 500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages + 100 /var/lib/dpkg/status Note: the problem also exists on Bionic so once Cosmic will be fixed, a SRU to Bionic would be nice. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792728 Title: [apparmor] allow reading squid binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1792728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
