[apparmor] [PATCH] mdns: Allow reading /etc/mdns.allow

Christian Boltz apparmor at cboltz.de
Tue Apr 7 21:58:19 UTC 2020 

Hello,

Am Dienstag, 7. April 2020, 18:22:10 CEST schrieb Goldwyn Rodrigues:
> This is for custom configuration for mdns as defined at:
> https://github.com/lathiat/nss-mdns/blob/master/README.md#etcmdnsallow
> 
> Signed-off-by: Goldwyn Rodrigues <rgoldwyn at suse.com>
> 
> diff --git a/profiles/apparmor.d/abstractions/mdns
> b/profiles/apparmor.d/abstractions/mdns index 2aa6fff2..9102d27e
> 100644
> --- a/profiles/apparmor.d/abstractions/mdns
> +++ b/profiles/apparmor.d/abstractions/mdns
> @@ -11,6 +11,7 @@
>    # mdnsd
>    /etc/nss_mdns.conf r,
>    /{,var/}run/mdnsd w,
> +  /etc/mdns.allow r,

You are late - this was already added a week ago ;-)


commit eeac8c11c935edf9eea2bed825af6c57e9fb52e3 (HEAD -> master, origin/master, origin/HEAD)
Author: Rich McAllister <Nopublic at address.provided>
Date:   Tue Mar 31 21:01:21 2020 -0700

    abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns

    In focal users of mdns get denials in apparmor confined applications.
    An exampel can be found in the original bug below.

    It seems it is a common pattern, see
    https://github.com/lathiat/nss-mdns#etcmdnsallow

    Therefore I'm asking to add
       /etc/mdns.allow r,
    to the file
       /etc/apparmor.d/abstractions/mdns"
    by default.

    --- original bug ---

    Many repetitions of

    audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0

    in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains

    hosts: files mdns [NOTFOUND=return] myhostname dns

    and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)

    Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.

    Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629
    Signed-off-by: John Johansen <john.johansen at canonical.com>

diff --git a/profiles/apparmor.d/abstractions/mdns b/profiles/apparmor.d/abstractions/mdns
index 6cd842cf..89b199be 100644
--- a/profiles/apparmor.d/abstractions/mdns
+++ b/profiles/apparmor.d/abstractions/mdns
@@ -9,6 +9,7 @@
 # ------------------------------------------------------------------

   # mdnsd
+  /etc/mdns.allow r,
   /etc/nss_mdns.conf r,
   @{run}/mdnsd w,



Regards,

Christian Boltz
-- 
Mein Name ist Ratti. Ich bin heute Abend hier hergekommen, weil ich ein
Problem habe, über das ich gerne sprechen würde.
Ich arbeite seit längerer Zeit mit Linux und habe noch niemals einen
Kernel kompiliert. Ich schäme mich deswegen sehr. [Ratti in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20200407/92534fd8/attachment.sig>

More information about the AppArmor mailing list