Ubuntu
chrony package

please add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns

Bug #1869629 reported by Rich McAllister
22
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Fix Released
Medium
Jamie Strandboge
snapd 2.45
apparmor (Ubuntu)
Fix Released
Critical
Ubuntu Security Team
chrony (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.

It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow

Therefore I'm asking to add
   /etc/mdns.allow r,
to the file
   /etc/apparmor.d/abstractions/mdns"
by default.

--- original bug ---

Many repetitions of

audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0

in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains

hosts: files mdns [NOTFOUND=return] myhostname dns

and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)

Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: chrony 3.5-6ubuntu1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Sun Mar 29 15:02:39 2020
InstallationDate: Installed on 2020-03-26 (3 days ago)
InstallationMedia: Xubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200326)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: chrony
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Rich McAllister (rfm) wrote :
summary: - AppArmor denied accss to /etc/mdns.allow to cronyd
+ AppArmor denied access to /etc/mdns.allow to cronyd
Revision history for this message
Rich McAllister (rfm) wrote : Re: AppArmor denied access to /etc/mdns.allow to cronyd

As a workaround, hanging /etc/apparmor.d/local/usr.sbin.chronyd to include

   /etc/mdns.allow r,

and reloading with

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.chronyd

made it shut up.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
/etc/apparmor.d/usr.sbin.chronyd has

  #include <abstractions/nameservice>

And thereby should have:
/etc/apparmor.d/abstractions/nameservice: #include <abstractions/mdns>

Which in turn defines:
/etc/apparmor.d/abstractions/mdns: # mdnsd
/etc/apparmor.d/abstractions/mdns: /etc/nss_mdns.conf r,
/etc/apparmor.d/abstractions/mdns: /{,var/}run/mdnsd w,

There is no mdns.allow but if that is a common thing for mdns we should add the rule.
The file belongs to apparmor itself and I think that abstraction would need a fix:
  apparmor: /etc/apparmor.d/abstractions/mdns

It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow

Therefore this bug IMHO is actually: "please add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns"

I'll modify it accordingly, but please speak up if you disagree.

Since this potentially hits any apparmor isolated application using nameservices I'd mark it as critical until the security Team explains why it is not. OTOH such a one line addition should be easily done in apparmor.

summary: - AppArmor denied access to /etc/mdns.allow to cronyd
+ please add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns
Changed in apparmor (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
importance: Undecided → Critical
Changed in chrony (Ubuntu):
status: New → Invalid
description: updated
Revision history for this message
Rich McAllister (rfm) wrote :

This problem is indeed somewhat pervasive, I also filed bug 1869632 on cups-browsed doing the same thing, for the same reason. I suspect more will pop up. I don't think libnss_mdns is too widely used, most people would use libnss_mdns_minimal. I only have to use libnss_mdns because my ISP is insane. If this bug were fixed by adding /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns bug 1869632 would be fixed as well (I've verified this by patching it on my system.)

Not sure why /etc/apparmor.d/abstractions/mdns contains /etc/nss_mdns.conf, though: libnss_mdns.so.2 doesn't refer to that file (it appears to be used in the NetBSD implementation?)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Rich,
thanks for your continued help - yes I agree that we need to fix this in the apparmor abstraction and not each individual other affected package.

FYI: I pinged jjohansen yesterday and he said he will make an upload ready and will ask jdstrand to sponsor it. I subscribed them both here now to make that clear.

Christian Ehrhardt  (paelzer)
tags: added: rls-ff-incoming
Revision history for this message
John Johansen (jjohansen) wrote :

This is a debdiff for focal applicable to apparmor_2.13.3-7ubuntu2

It is picked from upstream, and has been through upstream build and checks.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

It seems Rich has already requested the same change upstream after we identified it is not chrony but a general issue. That is great that allowed to backport an official commit.

Thanks jjohansen for making the debdiff of that.

I polished the dep3 headers and changelog a bit to fit in lines and be more detailed.
But other than that +1 and sponsored.

Changed in apparmor (Ubuntu):
status: New → Fix Committed
Revision history for this message
John Johansen (jjohansen) wrote :

Not quite, I pulled Rich's patch from here and pushed it through upstream first so we could have an official commit.

That way debian can pick it up as well.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "apparmor-mdns-fix.patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Dan Streetman (ddstreet) wrote :

@lathiat, added you FYI only

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This also has a snapd task, which I've added and assigned to myself. This can happen as part of the normal snapd update process.

Changed in snapd:
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → 2.45
status: New → Triaged
Michael Vogt (mvo)
Changed in snapd:
importance: Undecided → Medium
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@Jamie/John - did you let this upload cancel from focal-unapproved?
It was, but is no more in -unapproved - but it also does not show up in -proposed.
I'm confused and was wondering if this was lost in work of the release-team or if you cancelled (and plan to re-upload) it intentionally?

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Lol - sorry for the noise after seeing another case like that I had to realize that focal-unapproved just is multiple pages now :-)
It is on the second page still waiting for the release team to accept after beta is out.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.13.3-7ubuntu3

---------------
apparmor (2.13.3-7ubuntu3) focal; urgency=medium

  * Add upstream-abstractions-add-etc-mdns.allow-to-etc-apparmor.d-ab.patch
    (LP: #1869629)

 -- John Johansen <email address hidden> Wed, 01 Apr 2020 01:05:30 -0700

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, I submitted https://github.com/snapcore/snapd/pull/8443 for this.

Changed in snapd:
status: Triaged → In Progress
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I'm marking this as fix released based on the history of the referenced pull request.

Changed in snapd:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.