[Bug 1918410] Re: isc-dhcp-client denied by apparmor
Lukas Märdian
1918410 at bugs.launchpad.net
Tue Jun 21 10:15:59 UTC 2022
** Description changed:
+ [Impact]
+
+ * dmesg is flooded with apparmor="DENIED" messages for dhclient
+ * can lead to situations where dhclient is blocked to assign an IP address
+ * also impacts NetworkManager, when dhclient is being used as DHCP client
+
+ Examples:
+ [ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
+ [ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
+
+ [Test Plan]
+ $ apt install network-manager
+ $ netplan set "network.renderer=NetworkManager"
+ $ mkdir /etc/NetworkManager/conf.d
+ $ cat /etc/NetworkManager/conf.d/dhcp-client.conf
+ [main]
+ dhcp=dhclient
+
+ $ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
+ $ netplan apply
+ $ dmesg | grep dhclient
+
+ => make sure there are no (new) apparmor="DENIED" messages in there
+
+ $ ip addr
+ [...]
+ 2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
+ link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
+ inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
+ valid_lft 3576sec preferred_lft 3576sec
+ [...]
+
+ => make sure a DHCP IP address got assigned
+
+ [Where problems could occur]
+
+ * We're touching the apparmor profile for dhclient
+ * If anything goes wrong, we could potentially reduce the security confinement of dhclient
+ * Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
+
+ [Other Info]
+
+ * Also affects salesforce case "[SFDC-LAN] Case 00332266"
+ * Fixed in the upstream apparmor profile for sbin.dhclient:
+ https://gitlab.com/apparmor/apparmor/-/merge_requests/730
+ * The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
+
+ === original description ===
+
Hi, I get weird errors in the audit log, seeing dhclient is being denied
reading its comm or the comm of one of its tasks:
-
- [1383307.827378] audit: type=1400 audit(1615367094.054:162): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
+ [1383307.827378] audit: type=1400 audit(1615367094.054:162):
+ apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient"
+ name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient"
+ requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4
on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
-
- As I said, I'm not sure this is the root cause of the lack of IPv4 renewal, because running it manually *does* succeed in getting an IP. And running it in strace shows the EACCES failure:
+ As I said, I'm not sure this is the root cause of the lack of IPv4
+ renewal, because running it manually *does* succeed in getting an IP.
+ And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée)
** Description changed:
[Impact]
- * dmesg is flooded with apparmor="DENIED" messages for dhclient
- * can lead to situations where dhclient is blocked to assign an IP address
- * also impacts NetworkManager, when dhclient is being used as DHCP client
+ * dmesg is flooded with apparmor="DENIED" messages for dhclient
+ * can lead to situations where dhclient is blocked to assign an IP address
+ * also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
+ $ netplan get
+ network:
+ version: 2
+ renderer: NetworkManager
+ ethernets:
+ enp5s0:
+ dhcp4: true
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
- link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
- inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
- valid_lft 3576sec preferred_lft 3576sec
+ link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
+ inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
+ valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a DHCP IP address got assigned
[Where problems could occur]
- * We're touching the apparmor profile for dhclient
- * If anything goes wrong, we could potentially reduce the security confinement of dhclient
- * Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
+ * We're touching the apparmor profile for dhclient
+ * If anything goes wrong, we could potentially reduce the security confinement of dhclient
+ * Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
- * Also affects salesforce case "[SFDC-LAN] Case 00332266"
- * Fixed in the upstream apparmor profile for sbin.dhclient:
- https://gitlab.com/apparmor/apparmor/-/merge_requests/730
- * The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
+ * Also affects salesforce case "[SFDC-LAN] Case 00332266"
+ * Fixed in the upstream apparmor profile for sbin.dhclient:
+ https://gitlab.com/apparmor/apparmor/-/merge_requests/730
+ * The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied
reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162):
apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4
on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4
renewal, because running it manually *does* succeed in getting an IP.
And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée)
** Description changed:
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
$ netplan get
network:
- version: 2
- renderer: NetworkManager
- ethernets:
- enp5s0:
- dhcp4: true
+ version: 2
+ renderer: NetworkManager
+ ethernets:
+ enp5s0:
+ dhcp4: true
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
- => make sure there are no (new) apparmor="DENIED" messages in there
+ => make sure there are no (new) apparmor="DENIED" messages in there,
+ especially not after a reboot
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a DHCP IP address got assigned
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https://gitlab.com/apparmor/apparmor/-/merge_requests/730
* The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being denied
reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162):
apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an IPv4
on this interface. Note that it happened to other, see this comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4
renewal, because running it manually *does* succeed in getting an IP.
And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1918410
Title:
isc-dhcp-client denied by apparmor
Status in isc-dhcp package in Ubuntu:
Triaged
Status in isc-dhcp source package in Focal:
New
Status in isc-dhcp source package in Impish:
New
Status in isc-dhcp source package in Jammy:
New
Status in isc-dhcp source package in Kinetic:
Triaged
Bug description:
[Impact]
* dmesg is flooded with apparmor="DENIED" messages for dhclient
* can lead to situations where dhclient is blocked to assign an IP address
* also impacts NetworkManager, when dhclient is being used as DHCP client
Examples:
[ 7.339430] audit: type=1400 audit(1655804569.920:30): apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient" name="/proc/451/task/452/comm" pid=451 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[ 7.402768] audit: type=1400 audit(1655804569.984:33): apparmor="DENIED" operation="mknod" profile="/{,usr/}sbin/dhclient" name="/run/NetworkManager/dhclient-enp5s0.pid" pid=451 comm="dhclient" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[Test Plan]
$ apt install network-manager
$ netplan set "network.renderer=NetworkManager"
$ netplan get
network:
version: 2
renderer: NetworkManager
ethernets:
enp5s0:
dhcp4: true
$ mkdir /etc/NetworkManager/conf.d
$ cat /etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient
$ apparmor_parser -r /etc/apparmor.d/sbin.dhclient
$ netplan apply
$ dmesg | grep dhclient
$ reboot
$ netplan apply
$ dmesg | grep dhclient
=> make sure there are no (new) apparmor="DENIED" messages in there,
especially not after a reboot
$ ip addr
[...]
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:60:dd:dc brd ff:ff:ff:ff:ff:ff
inet 10.238.94.44/24 brd 10.238.94.255 scope global dynamic noprefixroute enp5s0
valid_lft 3576sec preferred_lft 3576sec
[...]
=> make sure a dynamic IP address got assigned via DHCP
[Where problems could occur]
* We're touching the apparmor profile for dhclient
* If anything goes wrong, we could potentially reduce the security confinement of dhclient
* Or we could potentially block additional functionality of dhclient via apparmor, rendering it unusable
[Other Info]
* Also affects salesforce case "[SFDC-LAN] Case 00332266"
* Fixed in the upstream apparmor profile for sbin.dhclient:
https://gitlab.com/apparmor/apparmor/-/merge_requests/730
* The 2nd fix for "/run/NetworkManager/dhclient-enp5s0.pid" was taken from the very same profile's "connman" section and adopted for NetworkManager, as /var/run/sendsigs.omit.d/network-manager.dhclient*.pid is not used anymore.
=== original description ===
Hi, I get weird errors in the audit log, seeing dhclient is being
denied reading its comm or the comm of one of its tasks:
[1383307.827378] audit: type=1400 audit(1615367094.054:162):
apparmor="DENIED" operation="open" profile="/{,usr/}sbin/dhclient"
name="/proc/1095210/task/1095213/comm" pid=1095210 comm="dhclient"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
This might or might not be linked with the fact that I can't get an
IPv4 on this interface. Note that it happened to other, see this
comment:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1413232/comments/8
Or even an article recommending disabling apparmor for dhclient(!):
https://blog.anthony-jacob.com/perte-dip-v4-sous-ubuntu-20-04-apparmor-et-dhclient/
As I said, I'm not sure this is the root cause of the lack of IPv4
renewal, because running it manually *does* succeed in getting an IP.
And running it in strace shows the EACCES failure:
[pid 1095210] openat(AT_FDCWD, "/proc/self/task/1095211/comm", O_RDWRstrace: Process 1095211 attached
) = -1 EACCES (Permission non accordée)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1918410/+subscriptions
More information about the foundations-bugs
mailing list