[Bug 1827253] Re: [apparmor] missing 'mr' on binary for usage on containers
Launchpad Bug Tracker
1827253 at bugs.launchpad.net
Wed Feb 12 20:55:59 UTC 2020
This bug was fixed in the package rsyslog - 8.2001.0-1ubuntu1
---------------
rsyslog (8.2001.0-1ubuntu1) focal; urgency=medium
[ Christian Ehrhardt ]
* Merge with Debian unstable (LP: #1862762). Remaining changes:
- debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
syslog group can write into /var/log/.
- debian/50-default.conf: set of default rules for syslog
+ debian/50-default.conf: separated default rules
+ d/rsyslog.install: install default rules
+ d/rsyslog.postrm: clear default rules on purge
+ d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
+ d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
+ debian/control: Add Depends for ucf
- debian/rsyslog.conf:
+ enable $RepeatedMsgReduction to avoid bloating the syslog file.
+ enable $KLogPermitNonKernelFacility for non-kernel klog messages
+ Run as rsyslog:rsyslog, set $FileOwner to syslog
+ Remove rules moved to 50-default.conf
- Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
+ d/rsyslog.install: install apparmor rule
+ d/rules: use dh_apparmor to install profile before rsyslog is started
+ d/control: suggests apparmor (>= 2.3)
+ d/contrl: Build-Depends on dh-apparmor
+ debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
/etc/apparmor.d/disable and /etc/apparmor.d/local
+ d/usr.sbin.rsyslogd apparmor profile for rsyslogd
+ debian/rsyslog.preinst: disable profile on clean installs.
- d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
- Drop mmnormalize module, which depends on liblognorm from universe.
+ d/rules: drop --enable-mmnormalize
+ d/control: drop build dependency on liblognorm-dev
- run as user syslog
+ d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
+ d/rsyslog.postinst: Create syslog user and add it to adm group
+ d/rsyslog.postinst: Adapt privileges for /var/log
+ debian/control: Add Depends for adduser
- debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
log for boot-time kernel messages.
- debian/clean: Delete some files left over by the test suite
* Dropped Changes:
- d/control: drop rsyslog-mongodb package from suggests
[ This part was forgotten to be droped in 8.32.0-1ubuntu1 ]
- d/rules: Build with --disable-silent-rules to get useful build logs.
[ was a no-op as verbose is the default ]
- d/rsyslog.postinst: Clean up temporary syslog.service symlink
[ Formerly missing in Changelog, now gone in Debian as well ]
[ Simon Deziel ]
* d/usr.sbin.rsyslogd: apparmor: fix typo in rule for (LP: #1827253).
rsyslog (8.2001.0-1) unstable; urgency=medium
* New upstream version 8.2001.0
* Set PYTHON=/usr/bin/python3 in debian/rules
* Cherry-pick upstream patches which fix a couple of imfile issues
* Add missing test files
rsyslog (8.1911.0-1) unstable; urgency=medium
* New upstream version 8.1911.0
* Follow DEP-14 naming
* Rebase patches
* Bump Standards-Version to 4.4.1
rsyslog (8.1910.0-2) unstable; urgency=medium
* Fix file handle leak in omfile (Closes: #935300)
rsyslog (8.1910.0-1) unstable; urgency=medium
* New upstream version 8.1910.0
- Support cross-platform build for mysql/mariadb
(Closes: #932068)
- Fix heap overflow in pmaixforwardedfrom module
(CVE-2019-17041, Closes: #942067)
- Fix heap overflow in pmcisconames module
(CVE-2019-17042, Closes: #942065)
* Use Python3 for running the test suite (Closes: #938417)
* Enable imfile tests
rsyslog (8.1908.0-1) unstable; urgency=medium
* New upstream version 8.1908.0
rsyslog (8.1907.0-2) unstable; urgency=medium
* Enable OpenSSL network stream driver.
Split the driver into a separate package named rsyslog-openssl and
update the Suggests accordingly to make it the preferred TLS driver.
(Closes: #930816)
rsyslog (8.1907.0-1) unstable; urgency=medium
* New upstream version 8.1907.0
* Rebase patches
rsyslog (8.1905.0-4) unstable; urgency=medium
* Stop installing /etc/default/rsyslog and remove it on upgrades
* Upload to unstable
rsyslog (8.1905.0-3) experimental; urgency=medium
* Fix leading double space in rsyslog startup messages (Closes: #907755)
* Update URL in logcheck rule to use https instead of http (Closes: #927771)
rsyslog (8.1905.0-2) experimental; urgency=medium
* Bump Build-Depends on librelp to (>= 1.4.0) for
relpEngineSetTLSLibByName()
* Add Build-Depends on logrotate and net-tools.
Those are required by the test suite: logrotate is used in the
imfile-logrotate* tests and ifconfig in sndrcv_tls_anon_ipv6.
rsyslog (8.1905.0-1) experimental; urgency=medium
* New upstream version 8.1905.0
rsyslog (8.1904.0-1) experimental; urgency=medium
* New upstream version 8.1904.0
* Rebase patches
rsyslog (8.1903.0-4) experimental; urgency=medium
* Drop dependency on lsb-base.
It is only needed when booting with sysvinit and initscripts, but
initscripts already Depends on lsb-base (see #864999).
rsyslog (8.1903.0-3) experimental; urgency=medium
* Revert "Enlarged msg offset types for bigger structured messages"
Seems to break the test-suite on various architectures.
rsyslog (8.1903.0-2) experimental; urgency=medium
* Properly respect the nocheck build option
rsyslog (8.1903.0-1) experimental; urgency=medium
* New upstream version 8.1903.0
* Rebase patches
- Drop Run-queue-encryption-tests-only-if-gcrypt-support-is-enab.patch,
merged upstream.
- Update Don-t-fail-test-suite-on-flaky-tests.patch to no longer treat
daqueue-dirty-shutdown as flaky. This test should work reliably now.
(Closes: #913984)
* Always dump test-suite.log to stdout.
In case of a flaky test which is skipped on failure we want to see the
test output.
* Remove migration code from pre-jessie
-- Christian Ehrhardt <christian.ehrhardt at canonical.com> Tue, 11 Feb
2020 16:25:29 +0100
** Changed in: rsyslog (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-17041
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-17042
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1827253
Title:
[apparmor] missing 'mr' on binary for usage on containers
Status in rsyslog package in Ubuntu:
Fix Released
Status in rsyslog source package in Bionic:
Triaged
Status in rsyslog source package in Disco:
Triaged
Status in rsyslog source package in Eoan:
Triaged
Bug description:
[Impact]
* rsyslog ships with a (Default disable) apparmor profile.
* Security sensitive users are in general encouraged to enable such
profiles but unfortunately due to slightly new behavior of the program
the profile prevents its usage.
* Allow the program to map/read its binary to get this working again
[Test Case]
1) Create a 'eoan' container called rs1 here:
lxc launch ubuntu-daily:e rs1
2) Enter the container
lxc shell rs1
3) Enable apparmor profile
rm /etc/apparmor.d/disable/usr.sbin.rsyslogd
apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.rsyslogd
systemctl restart rsyslog
4) notice rsyslog failed to start
systemctl status rsyslog
[Regression Potential]
* This is just opening up the apparmor profile a bit. Therefore the only
regression it could cause IMHO is a security issue. But then what it
actually allows is reading (not writing!) its own binary which should
be very safe.
* Thinking further it came to my mind that package updates (independent
to the change) might restart services and that means if there is any
issue e.g. in a local config that worked but now fails (not by this
change but in general) then the upgrade will not cause, but trigger
this. This is a general regression risk for any upload, but in this
case worth to mention as it is about log handling - which if broken -
makes large scale systems hard to debug.
[Other Info]
* n/a
---
Issue description:
Enabling the rsyslog (disabled by default) Apparmor profile causes
rsyslog to fail to start when running *inside a container*.
Steps to reproduce:
1) Create a 'eoan' container called rs1 here:
lxc launch ubuntu-daily:e rs1
2) Enter the container
lxc shell rs1
3) Enable apparmor profile
rm /etc/apparmor.d/disable/usr.sbin.rsyslogd
apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.rsyslogd
systemctl restart rsyslog
4) notice rsyslog failed to start
systemctl status rsyslog
Workaround:
echo ' /usr/sbin/rsyslogd mr,' >> /etc/apparmor.d/local/usr.sbin.rsyslogd
apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.rsyslogd
systemctl restart rsyslog
Additional information:
root at rs1:~# uname -a
Linux rs1 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root at rs1:~# lsb_release -rd
Description: Ubuntu Eoan EANIMAL (development branch)
Release: 19.10
root at rs1:~# dpkg -l| grep -wE 'apparmor|rsyslog'
ii apparmor 2.13.2-9ubuntu6 amd64 user-space parser utility for AppArmor
ii rsyslog 8.32.0-1ubuntu7 amd64 reliable system and kernel logging daemon
ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: rsyslog 8.32.0-1ubuntu7
ProcVersionSignature: Ubuntu 4.15.0-48.51-generic 4.15.18
Uname: Linux 4.15.0-48-generic x86_64
ApportVersion: 2.20.10-0ubuntu27
Architecture: amd64
Date: Wed May 1 17:36:29 2019
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: rsyslog
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1827253/+subscriptions
More information about the foundations-bugs
mailing list