[Bug 573315] [NEW] dnsmasq not enforced by apparmor on boot
Michael Lustfield
michael at profarius.com
Sat May 1 23:01:41 BST 2010
*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: dnsmasq
When I startup my virt system the dnsmasq process is not enforced. I set
this profile to enforce so it should be enforced. As I understood it,
apparmor should start before this process starts.
michael at pessum:~$ sudo aa-status
[sudo] password for michael:
apparmor module is loaded.
30 profiles are loaded.
30 profiles are in enforce mode.
/bin/ping
/sbin/dhclient3
/sbin/klogd
/sbin/syslog-ng
/sbin/syslogd
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/libvirt/virt-aa-helper
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/libvirtd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/smbd
/usr/sbin/tcpdump
/usr/sbin/traceroute
libvirt-5452d978-4734-915d-9de5-50b47505f09b
libvirt-7589ba32-d907-452f-d41b-7e2acf2a9de4
libvirt-cbd67573-7a5f-3715-5487-904767e29fd7
libvirt-d0243b43-ada9-9a84-6ad3-762c29af15b9
0 profiles are in complain mode.
6 processes have profiles defined.
5 processes are in enforce mode :
/usr/sbin/libvirtd (1446)
libvirt-5452d978-4734-915d-9de5-50b47505f09b (1717)
libvirt-7589ba32-d907-452f-d41b-7e2acf2a9de4 (1616)
libvirt-cbd67573-7a5f-3715-5487-904767e29fd7 (1653)
libvirt-d0243b43-ada9-9a84-6ad3-762c29af15b9 (1641)
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
/usr/sbin/dnsmasq (1543)
root at pessum:~# kill 1543
root at pessum:~# dnsmasq
root at pessum:~# aa-status
apparmor module is loaded.
30 profiles are loaded.
30 profiles are in enforce mode.
/bin/ping
/sbin/dhclient3
/sbin/klogd
/sbin/syslog-ng
/sbin/syslogd
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/libvirt/virt-aa-helper
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/libvirtd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/smbd
/usr/sbin/tcpdump
/usr/sbin/traceroute
libvirt-5452d978-4734-915d-9de5-50b47505f09b
libvirt-7589ba32-d907-452f-d41b-7e2acf2a9de4
libvirt-cbd67573-7a5f-3715-5487-904767e29fd7
libvirt-d0243b43-ada9-9a84-6ad3-762c29af15b9
0 profiles are in complain mode.
6 processes have profiles defined.
6 processes are in enforce mode :
/usr/sbin/dnsmasq (1809)
/usr/sbin/libvirtd (1446)
libvirt-5452d978-4734-915d-9de5-50b47505f09b (1717)
libvirt-7589ba32-d907-452f-d41b-7e2acf2a9de4 (1616)
libvirt-cbd67573-7a5f-3715-5487-904767e29fd7 (1653)
libvirt-d0243b43-ada9-9a84-6ad3-762c29af15b9 (1641)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: dnsmasq (not installed)
ProcVersionSignature: Ubuntu 2.6.32-21.32-server 2.6.32.11+drm33.2
Uname: Linux 2.6.32-21-server x86_64
NonfreeKernelModules: ksplice_e4o4fyfg_vmlinux_new ksplice_e4o4fyfg
Architecture: amd64
Date: Sat May 1 16:56:35 2010
InstallationMedia: Ubuntu-Server 10.04 "Lucid Lynx" - Alpha amd64 (20100404)
ProcEnviron:
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: dnsmasq
** Affects: dnsmasq (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug lucid
** Visibility changed to: Public
--
dnsmasq not enforced by apparmor on boot
https://bugs.launchpad.net/bugs/573315
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dnsmasq in ubuntu.
More information about the Ubuntu-server-bugs
mailing list