← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

 

While I see the non-crit "other" issue with opening its own binary I can
not confirm the disconnected path issue in a current xenial guest.

Since we knew this appears when trigging the running service to emit an error message I tried to force such an error message. I knew on later releases I could do so by e.g. spawning another virtual interface to bind on by starting a KVM guest (ntp would try to bind on that but fails).
On Xenial I see the error messages without any apparmor related issue.

While I don't know what is different on bug 1475019 (maybe ntp was
manually namespaced on that setup) this bug here "as reported" is a
regression in 17.10.

** Changed in: ntp (Ubuntu Xenial)
       Status: New => Invalid

** Changed in: ntp (Ubuntu Zesty)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Invalid
Status in ntp source package in Zesty:
  Invalid
Status in ntp source package in Artful:
  Fix Committed
Status in ntp source package in Bionic:
  Fix Released

Bug description:
  [Impact]

   * NTP has new isolation features which makes it trigger apparmor issues.
   * Those apparmor issues not only clutter the log and make other things
     less readable, they also prevent ntp from reporting its actual
     messages.
   * Fix is opening the apparmor profile to follow ntp through the
     disconnect by the isolation feature.

  [Test Case]

   * This is hard to trigger, but then also not. Which means it is not
     entirely sorted out when it triggers and when not, but the following
     does trigger it in tests of Pitti and also mine (while at the same time
     sometimes it does not - mabye I had other guests or kvm instead of lxd)

   * First install ntp in Artful (or above unless fixed)
     * Install ntp and check demsg for denies
     * Once an issue triggers instead of the error in syslog you'll see the
       apparmor Deny like:
         apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
         disconnected path" error=-13 profile="/usr/sbin/ntpd"
         name="run/systemd/journal/dev-log" pid=5600 comm="ntpd"
         requested_mask="w" denied_mask="w" fsuid=0 ouid=0

  [Regression Potential]

   * We are slightly opening up the apparmor profile which is far lower risk
     than adding more constraints. So safe from that POV.

   * OTOH one could think this might be a security issue, but in fact this
     isn't a new suggestion if you take a look at [1] with an ack by Seth of
     the Security Team.

  [Other Info]

   * n/a

  [1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html

  ----

  Merely installing and starting ntp.service in Ubuntu 17.10 now causes
  this AppArmor violation:

  audit: type=1400 audit(1508915894.215:25): apparmor="DENIED"
  operation="sendmsg" info="Failed name lookup - disconnected path"
  error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log"
  pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

  (many times). This hasn't happened in earlier Ubuntu releases yet.

  This was spotted by Cockpit's integration tests, as our "ubuntu-
  stable" image now moved to 17.10 after its release.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.10
  Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
  ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
  Uname: Linux 4.13.0-16-generic x86_64
  ApportVersion: 2.20.7-0ubuntu3
  Architecture: amd64
  Date: Wed Oct 25 03:19:34 2017
  SourcePackage: ntp
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions