touch-packages team mailing list archive

Thread
Date
[Bug 1403468] Re: dnsmasq profile incomplete for lxc usage

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1403468@xxxxxxxxxxxxxxxxxx>
Date: Mon, 15 Jun 2015 16:44:24 -0000
Reply-to: Bug 1403468 <1403468@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.2

---------------
apparmor (2.8.95~2430-0ubuntu5.2) trusty-proposed; urgency=medium

  * debian/patches/php5-Zend_semaphore-lp1401084.patch: allow php5
    abstraction access to Zend opcache files (LP: #1401084)
  * debian/patches/dnsmasq-lxc_networking-lp1403468.patch: update
    profile for lxc support (LP: #1403468)
  * debian/patches/profiles-texlive_font_generation-lp1010909.patch:
    allow generation of texlive fonts by sanitized-helpers
    (LP: #1010909)
  * debian/apport/source_apparmor.py: fix the apparmor apport hook
    so it does not raise an exception if a non-unicode character is
    found in /var/log/kern.log or in /var/log/syslog. This should
    work under python3 or python2.7 (LP: #1304447)
  * debian/patches/profiles-dovecot-updates-lp1296667.patch: update
    dovecot profiles to address several missing permissions.
    (LP: #1296667)
  * debian/patches/profiles-adjust_X_for_lightdm-lp1339727.patch:
    adjust X abstraction for LightDM xauthority location (LP: #1339727)
  * debian/patches/libapparmor-fix_memory_leaks-lp1340927.patch; fix
    memory leaks in log parsing component of libapparmor (LP: #1340927)
  * debian/patches/libapparmor-another_audit_format-lp1399027.patch:
    add support for another log format style (LP: #1399027)
  * debian/patches/tests-workaround_for_unix_socket_change-lp1425398.patch:
    work around apparmor kernel behavioral change in regression tests
    (LP: #1425398)
  * debian/control: add breaks on python3-apparmor against older
    apparmor-utils that used to be where python bits lived
    (LP: #1373259)
  * debian/patches/utils-update_to_2.9.2.patch: update the python
    utilities to the upstream 2.9.2 (LP: #1449769, incorporating a
    large number of fixes and improvements, including:
    - fix aa-genprof traceback with apparmor 2.8.95 (LP: #1294797)
    - fix aa-genprof crashing when selecting scan on Ubuntu 14.04 server
      (LP: #1319829)
    - make aa-logprof read profile instead of program binary
      (LP: #1317176, LP: #1324154)
    - aa-complain: don't traceback when marking multiple profiles
      (LP: #1378095)
    - make python tools able to parse mounts with UTF-8 non-ascii
      characters (LP: #1310598)

 -- Steve Beattie <sbeattie@xxxxxxxxxx>  Thu, 30 Apr 2015 12:18:08 -0700

** Changed in: apparmor (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1403468

Title:
  dnsmasq profile incomplete for lxc usage

Status in AppArmor Linux application security framework:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  [impact]

  This bug prevents the proper functioning of dnsmasq under lxc

  [steps to reproduce]

  1) install lxc
  2) start container, do dns lookups within it
  3) with the fix applied,  dnsmasq in the host os should not generate
  apparmor rejections in syslog

  [regression potential]

  The change in the patch for this bug is a slight loosening of the
  apparmor policy for dnsmasq. The risk of an introduced regression
  is small.

  [original description]

  Hi,

  I am using the dnsmasq profile with lxc, and I am getting DENIED
  messages like:

  Dec 16 22:26:58 superstar kernel: [226445.568383] type=1400
  audit(1418768818.310:865): apparmor="DENIED" operation="truncate"
  profile="/usr/sbin/dnsmasq" name="/var/lib/misc/dnsmasq.lxcbr0.leases"
  pid=1472 comm="dnsmasq" requested_mask="w" denied_mask="w" fsuid=118
  ouid=0

  Adding rw for that path obviously makes it go away, and seems like a
  reasonable change.

  Thanks,

  James

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: apparmor-profiles 2.8.95~2430-0ubuntu5.1
  ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11
  Uname: Linux 3.13.0-43-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.6
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Dec 17 11:27:18 2014
  PackageArchitecture: all
  ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.13.0-43-generic root=/dev/mapper/hostname--vg-root ro quiet splash vt.handoff=7
  SourcePackage: apparmor
  Syslog:

  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.apparmor.d.usr.sbin.avahi.daemon: [modified]
  mtime.conffile..etc.apparmor.d.usr.sbin.avahi.daemon: 2014-12-16T20:38:31.370339
  mtime.conffile..etc.apparmor.d.usr.sbin.dnsmasq: 2014-12-17T11:21:47.159017

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1403468/+subscriptions
References

[Bug 1403468] [NEW] dnsmasq profile incomplete for lxc usage
From: James Westby, 2014-12-17