** Description changed:
+ [ Impact ]
+
+ * This bug prevents bind9 to open and read the contents of
+ /proc/version_signature
+
+ * The bugfix for Noble and Questing aim to remedy that by providing the
+ needed permissions.
+
+ [ Test Plan ]
+
+ * In order to verify that the fix works correctly, the newly built
+ packages will be installed and run. Afterwards, syslog will be read to
+ verify that this issue is no longer present.
+
+ [ Where problems could occur ]
+
+ * The bugfix only contains additional permissions to read
+ /proc/version_signature, and so users will not be blocked by any new
+ rules. It should be noted that with less restrictions, bind9 is provided
+ with more attack vectors if it were to be compromised. However, since
+ the new rule only adds access to a read-only file, the potential for
+ regressions should be minimized.
+
+ [ Original Description ]
+
No LSB modules are available.
Description: Ubuntu 24.04.2 LTS
Release: 24.04
Package: bind9
Version: 1:9.18.30-0ubuntu0.24.04.2
-
I saw this error in my syslog:
Aug 1 14:49:09 unreliable-witness kernel: audit: type=1400
audit(1754059749.992:194): apparmor="DENIED" operation="open"
class="file" profile="named" name="/proc/version_signature" pid=1700718
comm="named" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
I don't know whether this actually causes any problems with named, but
it's easily fixed by adding this to /etc/apparmor.d/usr.sbin.named:
- @{PROC}/version_signature,r
+ @{PROC}/version_signature,r
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: bind9 1:9.18.30-0ubuntu0.24.04.2
ProcVersionSignature: Ubuntu 6.8.0-63.66-generic 6.8.12
Uname: Linux 6.8.0-63-generic x86_64
NonfreeKernelModules: zfs
ApportVersion: 2.28.1-0ubuntu3.8
Architecture: amd64
CasperMD5CheckResult: pass
Date: Fri Aug 1 16:22:09 2025
InstallationDate: Installed on 2023-11-18 (622 days ago)
InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release
amd64 (20230810)
ProcEnviron:
- LANG=C.UTF-8
- PATH=(custom, no user)
- SHELL=/bin/bash
- TERM=xterm-256color
- XDG_RUNTIME_DIR=<set>
+ LANG=C.UTF-8
+ PATH=(custom, no user)
+ SHELL=/bin/bash
+ TERM=xterm-256color
+ XDG_RUNTIME_DIR=<set>
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions:
- bind9utils N/A
- apparmor 4.0.1really4.0.1-0ubuntu0.24.04.4
+ bind9utils N/A
+ apparmor 4.0.1really4.0.1-0ubuntu0.24.04.4
SourcePackage: bind9
UpgradeStatus: Upgraded to noble on 2025-04-09 (114 days ago)
modified.conffile..etc.bind.named.conf: [deleted]
modified.conffile..etc.bind.named.conf.default-zones: [deleted]
modified.conffile..etc.bind.named.conf.local: [deleted]
modified.conffile..etc.default.named: [modified]
mtime.conffile..etc.apparmor.d.usr.sbin.named: 2025-08-01T15:42:35.957577
mtime.conffile..etc.default.named: 2025-08-01T15:49:09.406030
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2119320
Title:
apparmor error opening /proc/version_signature
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/2119320/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
