enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #07406
[Bug 1792728] [NEW] [apparmor] allow reading squid binary
Public bug reported:
Problem description:
Running squid in a container with a host using Bionic's kernel fails if
squid's apparmor profile is enabled. The denial messages is:
Sep 15 13:28:34 simon-laptop kernel: audit: type=1400
audit(1537032514.528:312): apparmor="DENIED" operation="file_mmap"
namespace="root//lxd-foo_<var-snap-lxd-common-lxd>"
profile="/usr/sbin/squid" name="/usr/sbin/squid" pid=12177 comm="squid"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
Steps to reproduce:
Create a container named foo:
$ lxc launch ubuntu-daily:cosmic foo
Install squid:
$ lxc exec foo -- apt-get install -y squid
Confirm it's running fine:
$ lxc exec foo -- ps aux| grep squid
root 1012 0.0 0.0 68120 2320 ? Ss 17:46 0:00 /usr/sbin/squid -YC -f /etc/squid/squid.conf
proxy 1015 0.0 0.0 108236 22068 ? S 17:46 0:00 (squid-1) -YC -f /etc/squid/squid.conf
proxy 1022 0.0 0.0 5736 1352 ? S 17:46 0:00 (logfile-daemon) /var/log/squid/access.log
Enable Apparmor profile (disabled by default):
$ lxc exec foo -- rm /etc/apparmor.d/disable/usr.sbin.squid
$ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.squid
$ lxc exec foo -- service squid restart
Check if squid is still running:
$ lxc exec foo -- ps aux| grep squid
It is not running anymore and looking at the host's journalctl, we see an Apparmor denial message:
$ journalctl -o cat -k | tail -n1
audit: type=1400 audit(1537033754.195:348): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-foo_<var-snap-lxd-common-lxd>" profile="/usr/sbin/squid" name="/usr/sbin/squid" pid=26039 comm="squid" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
A workaround is to allow read access to the binary.
Workaround:
$ lxc exec foo -- sed -i 's/squid ix,$/squid rix,/' /etc/apparmor.d/usr.sbin.squid
$ lxc exec foo -- apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.squid
$ lxc exec foo -- service squid restart
Check if squid started fine this time:
$ lxc exec foo -- ps aux| grep squid
root 1283 0.0 0.0 68120 2320 ? Ss 17:53 0:00 /usr/sbin/squid -YC -f /etc/squid/squid.conf
proxy 1285 0.0 0.0 108240 22140 ? S 17:53 0:00 (squid-1) -YC -f /etc/squid/squid.conf
proxy 1286 0.0 0.0 5736 1304 ? S 17:53 0:00 (logfile-daemon) /var/log/squid/access.log
Additional information:
$ lxc exec foo -- lsb_release -rd
Description: Ubuntu Cosmic Cuttlefish (development branch)
Release: 18.10
$ lxc exec foo -- apt-cache policy squid
squid:
Installed: 3.5.27-1ubuntu1
Candidate: 3.5.27-1ubuntu1
Version table:
*** 3.5.27-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
100 /var/lib/dpkg/status
Note: the problem also exists on Bionic so once Cosmic will be fixed, a
SRU to Bionic would be nice.
** Affects: squid3 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to squid3 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1792728
Title:
[apparmor] allow reading squid binary
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1792728/+subscriptions
Follow ups