touch-packages team mailing list archive

Thread
Date
[Bug 1417658] Re: apparmor denied operation file_inherit from networkmanager

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: alp <alp@xxxxxxxxxx>
Date: Mon, 30 Mar 2015 14:02:08 -0000
Reply-to: Bug 1417658 <1417658@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This issue causes incomplete dhcp configuration to assign a stale IP
that may already be leased to another device on the network.

The fix is to backport the AppArmor profile updates from
https://launchpad.net/ubuntu/+source/isc-dhcp/4.2.4-7ubuntu14

diff -pruN 4.2.4-7ubuntu13/debian/apparmor-profile.dhclient 4.2.4-7ubuntu14/debian/apparmor-profile.dhclient
--- 4.2.4-7ubuntu13/debian/apparmor-profile.dhclient	2014-06-25 12:05:29.000000000 +0000
+++ 4.2.4-7ubuntu14/debian/apparmor-profile.dhclient	2014-08-27 14:01:23.000000000 +0000
@@ -74,11 +74,15 @@
   /var/lib/NetworkManager/*lease r,
   signal (receive) peer=/usr/sbin/NetworkManager,
   ptrace (readby) peer=/usr/sbin/NetworkManager,
+  network inet dgram,
+  network inet6 dgram,
 }
 
 /usr/lib/connman/scripts/dhclient-script {
   #include <abstractions/base>
   #include <abstractions/dbus>
   /usr/lib/connman/scripts/dhclient-script      mr,
+  network inet dgram,
+  network inet6 dgram,
 }
 
diff -pruN 4.2.4-7ubuntu13/debian/changelog 4.2.4-7ubuntu14/debian/changelog
--- 4.2.4-7ubuntu13/debian/changelog	2014-06-25 12:31:57.000000000 +0000
+++ 4.2.4-7ubuntu14/debian/changelog	2014-08-27 14:04:04.000000000 +0000
@@ -1,3 +1,10 @@
+isc-dhcp (4.2.4-7ubuntu14) utopic; urgency=medium
+
+  * debian/apparmor-profile.dhclient: add file_inherit inet{,6} dgram rules
+    for child profiles
+
+ -- Jamie Strandboge <jamie@xxxxxxxxxx>  Wed, 27 Aug 2014 09:01:46 -0500
+
 isc-dhcp (4.2.4-7ubuntu13) utopic; urgency=medium
 
   * apparmor-profile.dhclient: allow signal receive and ptrace readby by

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1417658

Title:
  apparmor denied operation file_inherit from networkmanager

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Hallo,

  on Kubuntu 14.04.x dmesg shows me the following apparmor messages;

  Is this normal or is this a security issue together with network-
  manager?

  [   16.171766] audit: type=1400 audit(1422595680.679:68): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2229 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
  [   16.171772] audit: type=1400 audit(1422595680.679:69): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2229 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17
  [   16.199936] audit: type=1400 audit(1422595680.707:70): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2246 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
  [   16.199943] audit: type=1400 audit(1422595680.707:71): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2246 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17
  [   16.201369] audit: type=1400 audit(1422595680.707:72): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2248 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
  [   16.201379] audit: type=1400 audit(1422595680.707:73): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2248 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17
  [   17.206342] audit: type=1400 audit(1422595681.711:74): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2468 comm="nm-dhcp-client." lport=10320 family="inet" sock_type="dgram" protocol=17
  [   17.206349] audit: type=1400 audit(1422595681.711:75): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2468 comm="nm-dhcp-client." lport=21985 family="inet6" sock_type="dgram" protocol=17

  When I logon to KDE, KDE hangs sometimes  for 3sec at the login-
  process , when there is no internet connection (DSL modem did not
  dial-in yet).

  Thanks for your help!
  Best regards, Bernhard

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1417658/+subscriptions
References

[Bug 1417658] [NEW] apparmor denied operation file_inherit from networkmanager
From: Bernhard, 2015-02-03