Ubuntu
squid3 package

Broken apparmor profile

Bug #1416039 reported by Jacek Nykis
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
squid3 (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Won't Fix
Undecided
Unassigned

Bug Description

I enabled apparmor profile for squid3 by removing symlink in /etc/apparmor.d/disable

This broke squid, even "squid3 -z" was failing with:
assertion failed: Kid.cc:39: "cpid > 0"

and I saw the following apparmor message:
apparmor="DENIED" operation="exec" profile="/usr/sbin/squid3" name="/usr/sbin/squid3" pid=23413 comm="squid3" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

This can be worked around by adding the following line to /etc/apparmor.d/usr.sbin.squid3:
/usr/sbin/squid3 ix,

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in squid3 (Ubuntu):
status: New → Confirmed
Revision history for this message
Oleg Strikov (strikov-deactivatedaccount) wrote :

Hi Jacek,

Thanks for reporting the bug and providing us with the fix.
I prepared a debdiff (attached) and will be looking for sponsorship.

Oleg Strikov (strikov-deactivatedaccount)
Changed in squid3 (Ubuntu):
assignee: nobody → Oleg Strikov (strikov)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid3 - 3.3.8-1ubuntu10

---------------
squid3 (3.3.8-1ubuntu10) vivid; urgency=medium

  [Jacek Nykis]
  * d/usr.sbin.squid3: Apparmor profile has been changed to allow child
    processes to run execvp(argv[0], [kidname, ...]). (LP: #1416039)
 -- Oleg Strikov <email address hidden> Tue, 03 Mar 2015 18:18:20 +0300

Changed in squid3 (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

This is needed for trusty too, it seems.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in squid3 (Ubuntu Trusty):
status: New → Confirmed
Revision history for this message
Paul Gear (paulgear) wrote :

Any plans to get this released for trusty?

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Sorry, but Ubuntu Trusty has reached its End of Standard Support. For this reason, I am marking this bug as Won't Fix for it.

Changed in squid3 (Ubuntu Trusty):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.