Ubuntu
apparmor package

In 16.10, LXD won't work with enforced dsnmasq profile

Bug #1634199 reported by Franck
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned
AppArmor 2.11
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

After upgrading to 16.0, LXD networking stopped working due to enforced dnsmasq profile.

audit: type=1400 audit(1476709813.572:4291): apparmor="DENIED" operation="truncate" profile="/usr/sbin/dnsmasq" name="/var/lib/lxd/networks/lxdbr0/dnsmasq.leases" pid=13540 comm="dnsmasq" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

Tags: aa-policy

Related branches

lp:apparmor/2.12
Revision history for this message
Christian Boltz (cboltz) wrote :

Sounds like the path changed.

You'll need to add the following rule to /etc/apparmor.d/usr.sbin.dnsmasq (or to the local/ include):
  /var/lib/lxd/networks/lxdbr*/dnsmasq.leases rw,

BTW: Do you know if lxd supports different network interface types that don't match the lxdbr* name pattern? If yes, we'll need to add a more permissive rule.

tags: added: aa-policy
Revision history for this message
Stéphane Graber (stgraber) wrote :

The interface name is decided by the user in LXD 2.3 or higher, so it can be any valid interface name.

Revision history for this message
Stéphane Graber (stgraber) wrote :

/var/lib/lxd/networks/*/dnsmasq.leases rw,

should work fine

Revision history for this message
Christian Boltz (cboltz) wrote :

Thanks for the feedback!

I just submitted the patch for review upstream.

Revision history for this message
Franck (alci) wrote :

I'm afraid it won't be enough...:

audit: type=1400 audit(1476780672.803:99): apparmor="DENIED" operation="open" profile="/usr/sbin/dnsmasq" name="/var/lib/lxd/networks/lxdbr0/dnsmasq.hosts" pid=5165 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Revision history for this message
Christian Boltz (cboltz) wrote :

dnsmasq.leases added in trunk r3573 (before noticing comment #5 ;-)

comment #5 means you'll need to add
    /var/lib/lxd/networks/*/dnsmasq.hosts r,

After adding this (and reloading the profile), do you see more DENIED messages?

Revision history for this message
Franck (alci) wrote :

Another message:

audit: type=1400 audit(1476791887.152:118): apparmor="DENIED" operation="mknod" profile="/usr/sbin/dnsmasq" name="/var/lib/lxd/networks/lxdbr0/dnsmasq.pid" pid=5480 comm="dnsmasq" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Revision history for this message
Christian Boltz (cboltz) wrote :

"c" means to create a file, so you'll need write permissions. Judging on other rules in the profile, you'll also need read permissions. To sum it up:
  /var/lib/lxd/networks/*/dnsmasq.pid rw,

Anything else after adding this?

Revision history for this message
Stéphane Graber (stgraber) wrote :

Yes, so basically we have:
 - dnsmasq.pid (create + read/write by dnsmasq)
 - dnsmasq.raw (read by dnsmasq)
 - dnsmasq.hosts (read by dnsmasq)
 - dnsmasq.leases (create + read/write by dnsmasq)

I'd be tempted to just go with:

/var/lib/lxd/networks/*/dnsmasq.pid rw,
/var/lib/lxd/networks/*/dnsmasq.leases rw,
/var/lib/lxd/networks/*/dnsmasq.* r,

That should make things a bit more future proof should we add any more dnsmasq related files in there.

Revision history for this message
Christian Boltz (cboltz) wrote :

dnsmasq.* indeed sounds like a good idea, and shouldn't cause any harm.

I've sent another patch to the mailinglist for review.

Revision history for this message
Christian Boltz (cboltz) wrote :

Patch commited to bzr trunk r3574. AppArmor 2.11 will include it.

Changed in apparmor:
status: New → Fix Committed
milestone: none → 2.11
Christian Boltz (cboltz)
Changed in apparmor:
status: Fix Committed → Fix Released
Stéphane Graber (stgraber)
Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.