/proc/sys/kernel/random/boot_id rule missing from abstractions/nameservice

On all my machines and using various daemons, the denial messages always have fsuid==ouid. As such, I believe it would be OK to use the 'owner' specifier like this:

  owner @{PROC}/sys/kernel/random/boot_id r,

Scratch that. Using 'owner' on a root-owned but world readable file is probably ill-advised in an abstraction. It seems plausible for an application to do NSS lookup for user/group while running as non-root.

Which lxd are you using? Because more recent ones, should be creating a per-container boot_id.

`snap info lxd` says:
installed: 4.0.1 (14890) 72MB -

And indeed, there is a tmpfs mounted there:

root@bind:~# mount | grep boot
none on /proc/sys/kernel/random/boot_id type tmpfs (ro,nosuid,nodev,noexec,relatime,size=492k,mode=755,uid=1524288,gid=1524288)

That said, I don't think there is anything lxd specific to this issue as similar behavior is observable on physical/virtual machines where lxd is not used at all.

Squid is failing to start due to this apparmor deny:
[ 7271.822230] audit: type=1400 audit(1588602033.905:516): apparmor="DENIED" operation="open" namespace="root//lxd-autopkgtest-lxd-sljvrl_<var-snap-lxd-common-lxd>" profile="/usr/sbin/squid" name="/proc/sys/kernel/random/boot_id" pid=289530 comm="squid" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

which results in:
2020/05/04 14:20:34 kid1| WARNING: failed to send start-up notification to systemd
    sd_notify() error: (13) Permission denied

and
# time systemctl start squid
Job for squid.service failed because a timeout was exceeded.
See "systemctl status squid.service" and "journalctl -xe" for details.

real 2m6.317s
user 0m0.014s
sys 0m0.011s

That was squid 4.11, for groovy, btw. squid as shipped in focal is working fine.

squid in focal is indeed another package that triggers that denial but it is non fatal there as mentioned by Andreas.

@ahasenack, with 4.11, squid's systemd unit moved from Type=forking to Type=notify and with the error you showed, I would expect you to see a denial trying to write to /run/systemd/notify. I don't think a rule for /run/systemd/notify was added in any abstraction (yet) and I don't see any such rule in squid's profile itself.

The missing rule for boot_id was added to Apparmor 2.13 (https://gitlab.com/apparmor/apparmor/-/blob/apparmor-2.13/profiles/apparmor.d/abstractions/nameservice#L35) and was later refined in the master branch. As such, marking as fix committed.

I'm building a PPA with the backported fix here:

https://launchpad.net/~sergiodj/+archive/ubuntu/apparmor-bug1872564

Status changed to 'Confirmed' because the bug affects multiple users.

Thanks for being on top of this, Sergio. I'm surprised that a LP search for "boot_id" in this project did not turn up this existing bug report.

This bug was fixed in the package apparmor - 2.13.3-7ubuntu6

---------------
apparmor (2.13.3-7ubuntu6) groovy; urgency=medium

  * Add missing "boot_id" rule to abstractions/nameservice. (LP: #1872564)
    - d/p/upstream-commit-454fca7-Add-run-variable.patch: Add the
      definition for the "@{run}" variable.
    - d/p/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch:
      Add trailing slash to the "@{run}" variable.
    - d/p/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch:
      Add a missing rule to allow systemd to access
      @{PROC}/sys/kernel/random/boot_id and @{run}/systemd/userdb.
    - d/apparmor.install: Install new file 'tunables/run' under '/etc/apparmor.d'.

 -- Sergio Durigan Junior <email address hidden> Mon, 11 May 2020 09:55:16 -0400

@Sergio, I didn't see that you uploaded anything to the queue so to expedite the SRU since there are a number of duplicates, I created a smaller backport of the fix and uploaded it to focal-proposed just now: http://launchpadlibrarian.net/480473812/apparmor_2.13.3-7ubuntu5_2.13.3-7ubuntu5.1.diff.gz

(I hope that is alright).

On Tuesday, May 19 2020, Jamie Strandboge wrote:

> @Sergio, I didn't see that you uploaded anything to the queue so to
> expedite the SRU since there are a number of duplicates, I created a
> smaller backport of the fix and uploaded it to focal-proposed just now:
> http://launchpadlibrarian.net/480473812/apparmor_2.13.3-7ubuntu5_2.13.3-7ubuntu5.1.diff.gz
>
> (I hope that is alright).

Thanks, Jamie! That's quite alright. There's an MP opened about this,
but we got sidetracked and forgot to follow up.

Thanks again.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

@Sergio - assuming you are ok with my patch, do you still plan to follow through on the SRU verification once it is accepted into focal-proposed?

On Tuesday, May 19 2020, Jamie Strandboge wrote:

> @Sergio - assuming you are ok with my patch, do you still plan to follow
> through on the SRU verification once it is accepted into focal-proposed?

Hi Jamie,

Yes, I can take care of the verification if no one else does it.

Thanks,

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

To save you some work, I'll be happy to do the verification as soon as something lands in focal-proposed. Thanks

On Wednesday, May 20 2020, Simon Déziel wrote:

> To save you some work, I'll be happy to do the verification as soon as
> something lands in focal-proposed. Thanks

Thanks, Simon! Much appreciated.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Hello Simon, or anyone else affected,

Accepted apparmor into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.13.3-7ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

After pulling apparmor 2.13.3-7ubuntu5.1 from focal-proposed:

Get:18 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 apparmor amd64 2.13.3-7ubuntu5.1 [494 kB]
...
Unpacking apparmor (2.13.3-7ubuntu5.1) over (2.13.3-7ubuntu5) ...
Setting up libapparmor1:amd64 (2.13.3-7ubuntu5.1) ...
Setting up apt-utils (2.0.3) ...
Setting up apparmor (2.13.3-7ubuntu5.1) ...
Installing new version of config file /etc/apparmor.d/abstractions/nameservice ...
Reloading AppArmor profiles
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
...

I'm happy to report the bug is fixed, thanks so much!

All autopkgtests for the newly accepted apparmor (2.13.3-7ubuntu5.1) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/245.4-4ubuntu3 (ppc64el)
libreoffice/1:6.4.3-0ubuntu0.20.04.1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#apparmor

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

@Marco, this issue is not yet fixed in Focal. Marking back to Fix Committed.

The autopkgtest failures seem unrelated. I triggered reruns just now.

FYI, those re-runs passed and the package is green in https://people.canonical.com/~ubuntu-archive/pending-sru.html. When ubuntu-sru goes through the queue, this will be published.

On Monday, June 01 2020, Jamie Strandboge wrote:

> FYI, those re-runs passed and the package is green in
> https://people.canonical.com/~ubuntu-archive/pending-sru.html. When
> ubuntu-sru goes through the queue, this will be published.

Thanks for taking care of this one, Jamie!

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

I don't see the following step from the Test Case performed in comment #20. Was it?

4) check kernel logs for DENIED
$ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"'

or, depending on how logging is configured:

$ dmesg | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"'

Step 4, should not return anything. Because systemd is involved in the user/group lookups, it currently returns the following:

@Brian, I did go through the full test case when marking it as verified in comment #20.

Do I really need to repeat the full test case when verifying a bug?

$ lxc launch images:ubuntu/focal fb1
$ lxc exec fb1 -- apt update && lxc exec fb1 -- apt install apparmor -y
$ lxc exec fb1 -- apt install bind9 -y

# Confirms the problem:
$ journalctl -o cat -b0 -k | grep 'apparmor="DENIED"' | grep -F 'profile="/usr/sbin/named"'
audit: type=1400 audit(1591130868.387:930): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
audit: type=1400 audit(1591130868.387:931): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
audit: type=1400 audit(1591130868.387:932): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
audit: type=1400 audit(1591130868.387:933): apparmor="DENIED" operation="open" namespace="root//lxd-fb1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=21656 comm="named" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

Bringing in the fix from -proposed:

$ echo 'deb http://archive.ubuntu.com/ubuntu focal-proposed main' | lxc exec fb1 -- tee /etc/apt/sources.list
$ lxc exec fb1 -- apt update
$ lxc exec fb1 -- apt install apparmor
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  apparmor-profiles-extra apparmor-utils
The following packages will be upgraded:
  apparmor
1 upgraded, 0 newly installed, 0 to remove and 8 not upgraded.
Need to get 494 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 apparmor amd64 2.13.3-7ubuntu5.1 [494 kB]
Fetched 494 kB in 1s (929 kB/s)
Preconfiguring packages ...
(Reading database ... 14968 files and directories currently installed.)
Preparing to unpack .../apparmor_2.13.3-7ubuntu5.1_amd64.deb ...
Unpacking apparmor (2.13.3-7ubuntu5.1) over (2.13.3-7ubuntu5) ...
Setting up apparmor (2.13.3-7ubuntu5.1) ...
Installing new version of config file /etc/apparmor.d/abstractions/nameservice ...
Reloading AppArmor profiles
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Processing triggers for systemd (245.4-4ubuntu3.1) ...
$ lxc exec fb1 -- systemctl restart named

No *new* DENIED messages in 'journalctl -k', so marking as verification-done.

You don't *have* to include the full output of the test cases when verifying a bug (although, depending on how much output there is, it can be nice).

I don't think it was clear that you *had* gone through the full test-case in your verification comment - I'm not entirely sure what gave that impression, but I think it might have been the combination of *some* output (the apt/dpkg bit) and saying “the bug is fixed, thanks” without making reference to the test case.

Thanks for testing!

The verification of the Stable Release Update for apparmor has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package apparmor - 2.13.3-7ubuntu5.1

---------------
apparmor (2.13.3-7ubuntu5.1) focal-proposed; urgency=medium

  * upstream-lp1872564.patch: adjust nameservice abstraction for nss-systemd
    - LP: #1872564

 -- Jamie Strandboge <email address hidden> Tue, 19 May 2020 16:59:49 +0000

On 2020-06-02 8:50 p.m., Chris Halse Rogers wrote:
> You don't *have* to include the full output of the test cases when
> verifying a bug (although, depending on how much output there is, it can
> be nice).

OK, good, thanks for clarifying!

> I don't think it was clear that you *had* gone through the full test-
> case in your verification comment - I'm not entirely sure what gave that
> impression, but I think it might have been the combination of *some*
> output (the apt/dpkg bit) and saying “the bug is fixed, thanks” without
> making reference to the test case.

True, I should have been more explicit, duly noted!