Ubuntu
bind9 package

Merge ~ahasenack/ubuntu/+source/bind9:bionic-bind9-apparmor-profile-path into ubuntu/+source/bind9:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/bind9
  3. bionic-bind9-apparmor-profile-path
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Merged
Merge reported by: Nish Aravamudan
Merged at revision: 28c0d9ccf87d8ba86311b851e9cd4cf03ae1fd99
Proposed branch: ~ahasenack/ubuntu/+source/bind9:bionic-bind9-apparmor-profile-path
Merge into: ubuntu/+source/bind9:ubuntu/devel
Diff against target: 27 lines (+7/-1)
2 files modified
debian/changelog (+6/-0)
debian/rules (+1/-1)
Reviewer Review Type Date Requested Status
Nish Aravamudan (community) Approve
Christian Ehrhardt  (community) Approve
Review via email: mp+341462@code.launchpad.net

Description of the change

Fixes the apparmor profile name passed to dh_apparmor.

Note I have another MP up for bind9, so depending on which one lands first the version in d/changelog needs to be adjusted.

To test:

sudo apt install bind9
sudo systemctl reload apparmor <-- fails
sudo systemctl status apparmor.service
...
mar 15 14:14:10 bionic-bind9 apparmor[2733]: AppArmor parser error for /etc/apparmor.d/usr.sbin.named in /etc/apparmor.d/usr.sbin.named at line 69: Could not open 'local/usr.sbin.named'
...

Look in /var/lib/dpkg/info/bind9.postinst, search for APP_PROFILE:
    APP_PROFILE="/etc/apparmor.d/usr.bin.named" <--- incorrect name

ps fauxwZ shows named as unconfined:
unconfined bind 2139 0.0 1.0 215380 20576 ? Ssl 13:01 0:00 /usr/sbin/named -f -u bind

sudo add-apt-repository -y ppa:ahasenack/bind9-apparmor-1754981
sudo apt install bind9
sudo systemctl reload apparmor <--- works just fine now

/var/lib/dpkg/info/bind9.postinst now has the correct filename for APP_PROFILE (with sbin instead of bin)

Process is now confined:
/usr/sbin/named (enforce) bind 3742 0.0 1.0 215380 20656 ? Ssl 14:18 0:00 /usr/sbin/named -f -u bind

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This broke more than just the reload.
I agree to the fix.
I agree to the packaging.
I tested and ack that is is working now.
 - proper local include created
 - confined

The only thing I wonder is when did this creep in?
If this never worked it is a major change (no matter how correct).
If it never was confined we might want a FFE to do the fix.
Or ship it with the fix, but in complain mode?

... testing former releases ...
artful: broken the same way
xenial: correct

Given that the profile is active and enforced in Xenial I think it is find without FFE to fix Bionic.
For a short moment I was scared this might be the first time we enable it.
Also an SRU for artful on this eventually I guess ?

TL;DR: Important fix and LGTM+1

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I didn't check artful, good call, just xenial. This came from a debian merge, likely when they switched to dh_apparmor, and nobody saw the typo. I filed a bug with them, and also submitted a quick PR.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Why did you say artful was affected? The apparmor profile name is correct, and the process is confined.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

my artful container was full of bionic archive bits enabled.
I killed it and agree.

So please consider uploading this.

Revision history for this message
Nish Aravamudan (nacc) :
review: Approve
Revision history for this message
Nish Aravamudan (nacc) wrote :

Upload tagged and sponsored.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index c4d5f0d..ddac13c 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,9 @@
6+bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
7+
8+ * Fix apparmor profile filename (LP: #1754981)
9+
10+ -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300
11+
12 bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
13
14 * No change rebuild against openssl1.1.
15diff --git a/debian/rules b/debian/rules
16index 5d0ffd4..cfe7afa 100755
17--- a/debian/rules
18+++ b/debian/rules
19@@ -139,7 +139,7 @@ override_dh_install:
20 /usr/lib/$(DEB_HOST_MULTIARCH)/$$dev; \
21 done
22
23- dh_apparmor -pbind9 --profile-name=usr.bin.named
24+ dh_apparmor -pbind9 --profile-name=usr.sbin.named
25
26 override_dh_systemd_enable:
27 dh_systemd_enable -pbind9 --no-enable --name=bind9-resolvconf bind9-resolvconf.service

Subscribers

People subscribed via source and target branches