group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1741227] Re: apparmor denial to several paths to binaries

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: ChristianEhrhardt <1741227@xxxxxxxxxxxxxxxxxx>
Date: Wed, 14 Feb 2018 08:08:44 -0000
Reply-to: Bug 1741227 <1741227@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Tony,
yeah this is so far only fixed in Bionic (18.04) onwards.
It it not really an issue other than a log message itself (it is not needed for the opt parsing).
It occurs "only" on NTP start/restart (since it is arg parsing) so it is not that frequent that it would fill up the log or similar secondary issues.

All that makes it a hard case for the SRU policy [1] to make this change in releases.
Until then everybody who bothers about the log message can add:
   /usr/local/{,s}bin/  r,
to
   /etc/apparmor.d/usr.sbin.ntpd

I'm adding X/A bug tasks and set won't fix to mark that more explicitly.

I'm happy to discuss if one thinks this case would qualify fot the SRU
policy - the change itself is easy enough to be done.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates

** Also affects: ntp (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: ntp (Ubuntu Artful)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1741227

Title:
  apparmor denial to several paths to binaries

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Triaged
Status in ntp source package in Artful:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies access to bin directories which the option parsing code 
     of ntp touches.

  [Test Case]

   1. get a container of target release
   2. install ntp
      apt install ntp
   3. watch dmesg on container-host
      dmesg -w
   4. restart ntp in container
      systemctl restart ntp
   => see (or no more after fix) apparmor denie:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * we discussed if this would be a security risk but came to the 
     conclusion that r-only should be ok (the same content anyone can grab 
     from the archive by installing the packages)

  [Other Info]

   * n/a

  Issue shows up (non fatal) as:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Since non crit this is mostyl about many of us being curious why it
  actually does do it :-)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions