Ubuntu
apparmor package

[karmic] profiles not (always) loaded on boot

Bug #401109 reported by Jamie Strandboge
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Kees Cook

Bug Description

Binary package hint: apparmor

When I reboot, only the /sbin/dhclient3 profile is loaded:
$ sudo aa-status
apparmor module is loaded.
3 profiles are loaded.
3 profiles are in enforce mode.
   /usr/lib/connman/scripts/dhclient-script
   /sbin/dhclient3
   /usr/lib/NetworkManager/nm-dhcp-client.action
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode :
   /sbin/dhclient3 (3421)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

$ ls -l /etc/apparmor.d/cache/
total 448
-rw------- 1 root root 15073 2009-07-18 09:50 gdm-guest-session
-rw------- 1 root root 40099 2009-07-18 09:50 sbin.dhclient3
-rw------- 1 root root 204425 2009-07-18 09:50 usr.bin.evince
-rw------- 1 root root 75465 2009-07-18 09:50 usr.bin.firefox-3.0
-rw------- 1 root root 10561 2009-07-18 09:50 usr.bin.virt-aa-helper
-rw------- 1 root root 57634 2009-07-18 09:50 usr.sbin.cupsd
-rw------- 1 root root 21105 2009-07-18 09:50 usr.sbin.ntpd
-rw------- 1 root root 17241 2009-07-18 09:50 usr.sbin.tcpdump

I must reload apparmor to get all the profiles:
$ sudo /etc/init.d/apparmor force-reload
 * Reloading AppArmor
Warning: found /etc/apparmor.d/force-complain/usr.sbin.libvirtd, forcing complain mode
                                                                         [ OK ]
[jamie@severus ~]$ sudo aa-status
apparmor module is loaded.
12 profiles are loaded.
11 profiles are in enforce mode.
   /usr/lib/connman/scripts/dhclient-script
   /usr/share/gdm/guest-session/Xsession
   /usr/sbin/ntpd
   /usr/lib/firefox-3.0.11/firefox
   /usr/sbin/tcpdump
   /usr/lib/cups/backend/cups-pdf
   /sbin/dhclient3
   /usr/bin/evince
   /usr/bin/virt-aa-helper
   /usr/sbin/cupsd
   /usr/lib/NetworkManager/nm-dhcp-client.action
1 profiles are in complain mode.
   /usr/sbin/libvirtd
5 processes have profiles defined.
1 processes are in enforce mode :
   /sbin/dhclient3 (3421)
0 processes are in complain mode.
4 processes are unconfined but have a profile defined.
   /usr/sbin/libvirtd (4010)
   /usr/lib/firefox-3.0.11/firefox (5364)
   /usr/sbin/cupsd (4137)
   /usr/sbin/ntpd (3881)

$ ls -l /etc/apparmor.d/cache/
total 448
-rw------- 1 root root 15073 2009-07-18 10:06 gdm-guest-session
-rw------- 1 root root 40099 2009-07-18 10:06 sbin.dhclient3
-rw------- 1 root root 204425 2009-07-18 10:06 usr.bin.evince
-rw------- 1 root root 75465 2009-07-18 10:06 usr.bin.firefox-3.0
-rw------- 1 root root 10561 2009-07-18 10:06 usr.bin.virt-aa-helper
-rw------- 1 root root 57634 2009-07-18 10:06 usr.sbin.cupsd
-rw------- 1 root root 21105 2009-07-18 10:06 usr.sbin.ntpd
-rw------- 1 root root 17241 2009-07-18 10:06 usr.sbin.tcpdump

I do use ifupdown to manage my eth0 interface (ie 'iface eth0 inet dhcp' is in /etc/network/interfaces), so it is getting loaded by /etc/network/if-pre-up.d/dhclient3-apparmor.

$ apt-cache policy dhcp3-client
dhcp3-client:
  Installed: 3.1.2-1ubuntu5

$ tail -5 /etc/network/if-pre-up.d/dhclient3-apparmor
# Load the profile
if [ -s "$PROFILE" ]; then
    "$PARSER" -a "$PROFILE" || true
fi

ProblemType: Bug
ApparmorStatusOutput:
 Error: command /usr/sbin/apparmor_status failed with exit code 4: You do not have enough privilege to read the profile set.
 apparmor module is loaded.
Architecture: amd64
Date: Sat Jul 18 10:01:28 2009
DistroRelease: Ubuntu 9.10
Package: apparmor 2.3.1+1403-0ubuntu4
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-3.19-generic
SourcePackage: apparmor
Uname: Linux 2.6.31-3-generic x86_64

Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in apparmor (Ubuntu):
assignee: nobody → Kees Cook (kees)
security vulnerability: no → yes
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

From IRC:
10:15 < jdstrand> kees: btw, I just noticed that my libvirtd profile has a symlink in force-comlain *and* has:
10:15 < jdstrand> /usr/sbin/libvirtd flags=(complain) {
10:15 < jdstrand> kees: however, it is not in the cache. complain mode only profiles should be in the cache, no (I mean, we still need to load them on boot)?

I'm not sure if this is related, a bug or intended behavior.

Revision history for this message
Kees Cook (kees) wrote :

It is by design that force-complain profiles will not be cached (since their text may not match their binary).

The cache files were created recently in your first "ls" output, which implies that they are being run through the parser. Why they don't appear in aa-status is not clear to me. Can you boot without "quiet splash" and capture the AppArmor start-up output? Also, you can change the init script to drop the "-q" option so it reports each profile as it loads it.

Revision history for this message
Kees Cook (kees) wrote :

Also, can you tar up your entire /etc/apparmor.d directory too, just so I can try it with exactly the same profiles you've got?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

> It is by design that force-complain profiles will not be cached (since their text may not match their binary).

yes, I suppose that is true.

> Can you boot without "quiet splash" and capture the AppArmor start-up output?
When starting AppArmor, output during boot is:

Starting Apparmor
skipped: already loaded with profiles

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu5

---------------
apparmor (2.3.1+1403-0ubuntu5) karmic; urgency=low

  * Always use --replace when loading profiles so that if profiles
    are loaded outside of the init script (e.g. dhcp3), the init
    script does not abort (LP: #401109).
  * parser/parser_main.c: more carefully create cache files.

 -- Kees Cook <email address hidden> Sun, 19 Jul 2009 07:48:11 -0700

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.