Ubuntu
ntp package

ntpdate lock apparmor deny

Bug #1749389 reported by Christian Ehrhardt 
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ntp (Ubuntu)
Fix Released
Medium
Unassigned
Xenial
Fix Released
Medium
Unassigned
Artful
Fix Released
Medium
Unassigned

Bug Description

[Impact]

 * Apparmor denies access to lock it shares with ntpdate to ensure no
   issues due to concurrent access

[Test Case]

 1. get a container of target release
 2. install ntp
    apt install ntp
 3. watch dmesg on container-host
    dmesg -w
 4. restart ntp in container
    systemctl restart ntp
 => see (or no more after fix) apparmor denie:
    apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w"
    Note: to not be mislead, on xenial there is a remaining stdout appamor
    issue which is bug 1670408

[Regression Potential]

 * we are only slightly opening up the apparmor profile, but none of the
   changes poses a security risk so regression potential on it's own
   should be close to zero.

 * There is a potential issue if the locking (that now can succeed) would
   e.g. no more be freed up or the action behind the locking would cause
   issues.

[Other Info]

 * n/a

On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate.

That looks like:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w"

The rule we need is:
/run/lock/ntpdate wk,

See original description
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Note: When we open up a SRU for ntp apparmor we should include the minot (bot on its own not SRu worthy) fix of bug 1741227

Changed in ntp (Ubuntu Xenial):
status: New → Triaged
Changed in ntp (Ubuntu Artful):
status: New → Triaged
Changed in ntp (Ubuntu Xenial):
importance: Undecided → Medium
Changed in ntp (Ubuntu Artful):
importance: Undecided → Medium
Changed in ntp (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Fix is trivial, but you never know - tetsing the bionic change in https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3144

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

auto profile replace on upgrade - ok
restart without apparmor issues - ok

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Missed the right format in changelog :-/, but this is fixed in Bionic by https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p10+dfsg-5ubuntu7

Changed in ntp (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Bionic - ok
SRU Template - ok
Debdiff for X/T checked - ok
Tested X/A upload from ppa - ok.

I Identified another issue in the log as bug 1670408 which needs a fix in apparmor - not ntp.
That means this is ok to be uploaded (not gated by that finding).

description: updated
Changed in ntp (Ubuntu Xenial):
status: Triaged → In Progress
Changed in ntp (Ubuntu Artful):
status: Triaged → In Progress
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

fix in SRU queue (Atrful/Xenial) for review by the SRU Team

Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello ChristianEhrhardt, or anyone else affected,

Accepted ntp into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p4+dfsg-3ubuntu5.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ntp (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Changed in ntp (Ubuntu Artful):
status: In Progress → Fix Committed
tags: added: verification-needed-artful
Revision history for this message
Chris J Arges (arges) wrote :

Hello ChristianEhrhardt, or anyone else affected,

Accepted ntp into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p10+dfsg-5ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Verification of proposed:
xenial/artful as is on restart:
[2020349.483870] audit: type=1400 audit(1518622585.386:4875): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-xenial-test_<var-snap-lxd-common-lxd>" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=16784 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[2020342.768379] audit: type=1400 audit(1518622578.674:4870): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-artful-test_<var-snap-lxd-common-lxd>" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=16638 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

After upgrade from proposed:
- 1:4.2.8p4+dfsg-3ubuntu5.8
- 1:4.2.8p10+dfsg-5ubuntu3.2

The messages above are gone - so verified

tags: added: verification-done verification-done-artful verification-done-xenial
removed: verification-needed verification-needed-artful verification-needed-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for ntp has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.8p10+dfsg-5ubuntu3.2

---------------
ntp (1:4.2.8p10+dfsg-5ubuntu3.2) artful; urgency=medium

  * d/apparmor-profile: avoid denies on argument checks (LP: #1741227)
  * d/apparmor-profile: fix denial checking for running ntpdate (LP: #1749389)

 -- Christian Ehrhardt <email address hidden> Wed, 14 Feb 2018 13:14:24 +0100

Changed in ntp (Ubuntu Artful):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu5.8

---------------
ntp (1:4.2.8p4+dfsg-3ubuntu5.8) xenial; urgency=medium

  * d/apparmor-profile: fix denial checking for running ntpdate (LP: #1749389)

 -- Christian Ehrhardt <email address hidden> Wed, 14 Feb 2018 13:10:39 +0100

Changed in ntp (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.