[Bug 688186] Re: apparmor profile denying access to /proc/*/net/dev

Tom 688186 at bugs.launchpad.net
Mon Mar 19 13:00:54 UTC 2012 

This bug still exists on my 64bit Kubuntu Natty installation.
/etc/apparmor.d/usr.sbin.dhcpd does not exist, and isc-dhcp-client is
version 4.1.1-P1-15ubuntu9.1

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 11.04
Release:        11.04
Codename:       natty

$ dmesg | grep apparmor
[   17.963014] type=1400 audit(1332158159.903:2): apparmor="STATUS" operation="profile_load" name="/sbin/dhclient" pid=571 comm="apparmor_parser"
[   17.963980] type=1400 audit(1332158159.903:3): apparmor="STATUS" operation="profile_load" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=571 comm="apparmor_parser"
[   17.964606] type=1400 audit(1332158159.903:4): apparmor="STATUS" operation="profile_load" name="/usr/lib/connman/scripts/dhclient-script" pid=571 comm="apparmor_parser"
[   18.206374] type=1400 audit(1332158160.143:5): apparmor="STATUS" operation="profile_load" name="/usr/share/gdm/guest-session/Xsession" pid=992 comm="apparmor_parser"
[   18.206701] type=1400 audit(1332158160.143:6): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient" pid=994 comm="apparmor_parser"
[   18.207198] type=1400 audit(1332158160.153:7): apparmor="STATUS" operation="profile_load" name="/usr/sbin/mysqld-akonadi" pid=998 comm="apparmor_parser"
[   18.207642] type=1400 audit(1332158160.153:8): apparmor="STATUS" operation="profile_load" name="/usr/lib/cups/backend/cups-pdf" pid=997 comm="apparmor_parser"
[   18.207703] type=1400 audit(1332158160.153:9): apparmor="STATUS" operation="profile_replace" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=994 comm="apparmor_parser"
[   18.207815] type=1400 audit(1332158160.153:10): apparmor="STATUS" operation="profile_load" name="/usr/sbin/mysqld-akonadi///usr/sbin/mysqld" pid=998 comm="apparmor_parser"
[   18.208194] type=1400 audit(1332158160.153:11): apparmor="STATUS" operation="profile_replace" name="/usr/lib/connman/scripts/dhclient-script" pid=994 comm="apparmor_parser"
[  523.005483] type=1400 audit(1332158666.880:36): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/proc/modules" pid=3419 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  523.009195] type=1400 audit(1332158666.880:37): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[  523.027179] type=1400 audit(1332158666.900:38): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[  523.027206] type=1400 audit(1332158666.900:39): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[  523.027224] type=1400 audit(1332158666.900:40): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[  523.027240] type=1400 audit(1332158666.900:41): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[  523.027283] type=1400 audit(1332158666.900:42): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[  523.027299] type=1400 audit(1332158666.900:43): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[  523.027314] type=1400 audit(1332158666.900:44): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[  523.027329] type=1400 audit(1332158666.900:45): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[  534.968723] type=1400 audit(1332158678.860:106): apparmor="DENIED" operation="open" parent=2052 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/etc/apt/sources.list" pid=3417 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  587.155337] type=1400 audit(1332158731.140:107): apparmor="DENIED" operation="open" parent=2052 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/proc/3417/net/dev" pid=3438 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  647.052223] type=1400 audit(1332158791.140:108): apparmor="DENIED" operation="open" parent=2052 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/proc/3417/net/dev" pid=3438 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  706.949105] type=1400 audit(1332158851.140:109): apparmor="DENIED" operation="open" parent=2052 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/proc/3417/net/dev" pid=3438 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  766.845977] type=1400 audit(1332158911.140:110): apparmor="DENIED" operation="open" parent=2052 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/proc/3417/net/dev" pid=3438 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/688186

Title:
  apparmor profile denying access to /proc/*/net/dev

Status in “isc-dhcp” package in Ubuntu:
  Fix Released

Bug description:
  [   11.905752] type=1400 audit(1291909447.147:7): apparmor="DENIED"
  operation="open" parent=1022 profile="/usr/sbin/dhcpd"
  name="/proc/1053/net/dev" pid=1053 comm="dhcpd" requested_mask="r"
  denied_mask="r" fsuid=104 ouid=0

  
  As suggested by jdstrand, adding "@{PROC}/[0-9]*/net/dev r," to  /etc/apparmor.d/usr.sbin.dhcpd resolves this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/688186/+subscriptions

More information about the foundations-bugs mailing list