Ubuntu
isc-dhcp package

apparmor profile denying access to /proc/*/net/dev

Bug #688186 reported by Dave Walker
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Fix Released
High
Jamie Strandboge
Ubuntu natty-alpha-2

Bug Description

[ 11.905752] type=1400 audit(1291909447.147:7): apparmor="DENIED" operation="open" parent=1022 profile="/usr/sbin/dhcpd" name="/proc/1053/net/dev" pid=1053 comm="dhcpd" requested_mask="r" denied_mask="r" fsuid=104 ouid=0

As suggested by jdstrand, adding "@{PROC}/[0-9]*/net/dev r," to /etc/apparmor.d/usr.sbin.dhcpd resolves this.

Related branches

lp:ubuntu/natty/isc-dhcp
Dave Walker (davewalker)
Changed in isc-dhcp (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in isc-dhcp (Ubuntu):
importance: Undecided → High
milestone: none → natty-alpha-2
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package isc-dhcp - 4.1.1-P1-15ubuntu2

---------------
isc-dhcp (4.1.1-P1-15ubuntu2) natty; urgency=low

  * debian/apparmor-profile.dhcpd: allow read access to @{PROC}/[0-9]*/net/dev
    LP: #688186
  * debian/apparmor-profile.dhclient: tighten to allow access to
    @{PROC}/[0-9]*/net/**, not @{PROC}/sys/net
  * debian/isc-dhcp-client.postinst: move the old dhclient3 AppArmor aside on
    upgrade. This is needed to properly support upgrades to 11.04 and 12.04.
    LP: #688191
 -- Jamie Strandboge <email address hidden> Thu, 09 Dec 2010 11:21:53 -0600

Changed in isc-dhcp (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Tom (thomasmca) wrote :
Download full text (5.7 KiB)

This bug still exists on my 64bit Kubuntu Natty installation. /etc/apparmor.d/usr.sbin.dhcpd does not exist, and isc-dhcp-client is version 4.1.1-P1-15ubuntu9.1

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 11.04
Release: 11.04
Codename: natty

$ dmesg | grep apparmor
[ 17.963014] type=1400 audit(1332158159.903:2): apparmor="STATUS" operation="profile_load" name="/sbin/dhclient" pid=571 comm="apparmor_parser"
[ 17.963980] type=1400 audit(1332158159.903:3): apparmor="STATUS" operation="profile_load" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=571 comm="apparmor_parser"
[ 17.964606] type=1400 audit(1332158159.903:4): apparmor="STATUS" operation="profile_load" name="/usr/lib/connman/scripts/dhclient-script" pid=571 comm="apparmor_parser"
[ 18.206374] type=1400 audit(1332158160.143:5): apparmor="STATUS" operation="profile_load" name="/usr/share/gdm/guest-session/Xsession" pid=992 comm="apparmor_parser"
[ 18.206701] type=1400 audit(1332158160.143:6): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient" pid=994 comm="apparmor_parser"
[ 18.207198] type=1400 audit(1332158160.153:7): apparmor="STATUS" operation="profile_load" name="/usr/sbin/mysqld-akonadi" pid=998 comm="apparmor_parser"
[ 18.207642] type=1400 audit(1332158160.153:8): apparmor="STATUS" operation="profile_load" name="/usr/lib/cups/backend/cups-pdf" pid=997 comm="apparmor_parser"
[ 18.207703] type=1400 audit(1332158160.153:9): apparmor="STATUS" operation="profile_replace" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=994 comm="apparmor_parser"
[ 18.207815] type=1400 audit(1332158160.153:10): apparmor="STATUS" operation="profile_load" name="/usr/sbin/mysqld-akonadi///usr/sbin/mysqld" pid=998 comm="apparmor_parser"
[ 18.208194] type=1400 audit(1332158160.153:11): apparmor="STATUS" operation="profile_replace" name="/usr/lib/connman/scripts/dhclient-script" pid=994 comm="apparmor_parser"
[ 523.005483] type=1400 audit(1332158666.880:36): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/proc/modules" pid=3419 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 523.009195] type=1400 audit(1332158666.880:37): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[ 523.027179] type=1400 audit(1332158666.900:38): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[ 523.027206] type=1400 audit(1332158666.900:39): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
[ 523.027224] type=1400 audit(1332158666.900:40): apparmor="DENIED" operation="open" parent=3417 profile="/usr/lib/firefox-7.0.1/firefox{,*[^s][^h]}" name="/dev/ati/card0" pid=3419 comm="firefox" reques...

Read more...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.