Ubuntu
apparmor package

apparmor cache files not regenerated on upgrade

Bug #466315 reported by Jose M. Albarrán
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Medium
Kees Cook
Karmic
Fix Released
Medium
Kees Cook
Lucid
Fix Released
Medium
Kees Cook

Bug Description

impact: people upgrading from Jaunty to Karmic will see some services fail to start due to outdated profiles not correctly being loaded (specifically, this happens for bind9).
how the bug has been addressed: backported upstream fixes that use ctime instead of mtime when examining profiles for if they are out of date compared to the cache files.
regression potential: low: the change is small, there are upstream tests, and the test case below demonstrates the fix.

TEST CASE: (all commands should exit 0: the "touch" will rewind "modified" but not "changed" time, so a fixed parser will still regenerate the cache.)

Run with sudo:
#!/bin/bash
set -e
cat >/etc/apparmor.d/tmp.test <<EOF
#include <tunables/global>
/tmp/test {
  #include <abstractions/base>
}
EOF
sleep 1
service apparmor reload
test /etc/apparmor.d/cache/tmp.test -nt /etc/apparmor.d/tmp.test
THEN=$(mktemp -t now-XXXXXX)
sleep 1
touch -t 200901010101 /etc/apparmor.d/tmp.test
apparmor_parser -r -W /etc/apparmor.d/tmp.test
set +e
test /etc/apparmor.d/cache/tmp.test -nt $THEN
rc=$?
set -e
apparmor_parser -R /etc/apparmor.d/tmp.test
rm /etc/apparmor.d/{,cache}/tmp.test $THEN
if [ $rc -ne 0 ]; then
    echo FAIL
    exit 1
fi
echo ok

Original bug description:

Binary package hint: bind9

If you have installed apparmor, and install bind9, this fails to start complaining about access denied (openssl.cnf file the first time, named.pid in other configurations).

The problem is that bind9 doesn't install an apparmor profile.

If you install apparmor-profiles packages, the problem solves.

Then, maybe it has to have a dependency (or install an apparmor bind profile specifically).

In my case, it has been detecting after upgrading from 9.04 to 9.10.

See original description
Kenyon Ralph (kralph)
Changed in bind9 (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. To help fix the bug, please follow the instructions found in https://wiki.ubuntu.com/DebuggingApparmor. This will greatly help us in tracking down your problem.

Changed in bind9 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → Incomplete
Revision history for this message
Kenyon Ralph (kralph) wrote :

The problem is simply fixed by installing the apparmor-profiles package. So adding a dependency on that package would seem to be one way to fix this, as suggested in the original report. Bug #472472 has more details. Here is an example kern.log entry from my system before installing apparmor-profiles:

Nov 3 02:53:39 voodoo kernel: [1140012.457778] type=1503 audit(1257245619.887:60): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=112 name="/etc/ssl/openssl.cnf" pid=20929 profile="/usr/sbin/named"

After installing the apparmor-profiles package, named works normally, with no apparmor complaints.

Changed in bind9 (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

apparmor-profiles is in universe, and bind9 is in main, so bind9 cannot depend on apparmor-profiles.

This error is confusing because apparmor-profiles on 9.10 does not provide a profile for usr.sbin.named, and provides no abstractions.

Kenyon, can you attach a tarball of your /etc/apparmor.d/ directory?
$ sudo tar -zcvf /tmp/466315.tar.gz /etc/apparmor.d

Changed in bind9 (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Brendan Martens (shrift) wrote :

I was having the same problem, I then did as Kenyon suggested and it fixed the problem. Here is the tar file of the apparmor.d directory.

Revision history for this message
Kenyon Ralph (kralph) wrote : Re: [Bug 466315] Re: bind9 missed a dependency with apparmor-profiles

On 2009-11-03T22:53:27-0000, Jamie Strandboge <email address hidden> wrote:
> apparmor-profiles is in universe, and bind9 is in main, so bind9 cannot
> depend on apparmor-profiles.

I see.

> This error is confusing because apparmor-profiles on 9.10 does not
> provide a profile for usr.sbin.named, and provides no abstractions.

Yes, this is strange.

% dlocate -S /etc/apparmor.d/usr.sbin.named
bind9: /etc/apparmor.d/usr.sbin.named

I did sudo aa-complain =named, sudo aptitude remove apparmor-profiles,
stopped and started bind9, saw no complaints. Same after sudo aa-enforce
=named, no problems, bind9 works.

So this bug might be some kind of weirdness that happens when upgrading
bind9. I did the jaunty->karmic upgrade via do-release-upgrade. I had
bind9 1:9.5.1.dfsg.P2-1ubuntu0.1 on jaunty.

> Kenyon, can you attach a tarball of your /etc/apparmor.d/ directory?
> $ sudo tar -zcvf /tmp/466315.tar.gz /etc/apparmor.d

Tarballs attached. One is with apparmor-profiles installed, one is after
removing it.

--
Kenyon Ralph

Changed in bind9 (Ubuntu):
status: Incomplete → Confirmed
Kenyon Ralph (kralph)
summary: - bind9 missed a dependency with apparmor-profiles
+ bind9 jaunty to karmic upgrade causes initial apparmor audit with
+ openssl.cnf, seems fixed by installing apparmor-profiles but not really
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: bind9 jaunty to karmic upgrade causes initial apparmor audit with openssl.cnf, seems fixed by installing apparmor-profiles but not really

Kenyon,

Can you provide the status of the following command (with apparmor-profiles installed and bind9 otherwise working):
$ sudo aa-status

Changed in bind9 (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Kenyon Ralph (kralph) wrote :

% sudo aa-status
apparmor module is loaded.
36 profiles are loaded.
16 profiles are in enforce mode.
   /usr/share/gdm/guest-session/Xsession
   /usr/sbin/clamd
   /usr/bin/freshclam
   /usr/sbin/avahi-daemon
   /usr/sbin/dhcpd3
   /sbin/dhclient3
   /usr/bin/evince-thumbnailer
   /usr/sbin/cupsd
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/bin/evince-previewer
   /usr/sbin/tcpdump
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/mysqld
   /usr/bin/evince
   /usr/sbin/named
20 profiles are in complain mode.
   /usr/lib/dovecot/imap-login
   /bin/ping
   /usr/sbin/ntpd
   /sbin/klogd
   /sbin/syslogd
   /sbin/syslog-ng
   /usr/lib/dovecot/imap
   /usr/sbin/traceroute
   /usr/sbin/mdnsd
   /usr/sbin/identd
   /usr/lib/dovecot/managesieve-login
   /usr/sbin/dnsmasq
   /usr/sbin/nmbd
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/pop3-login
   /usr/sbin/smbd
   /usr/lib/dovecot/deliver
   /usr/sbin/nscd
   /usr/lib/dovecot/pop3
   /usr/sbin/dovecot
7 processes have profiles defined.
6 processes are in enforce mode :
   /usr/sbin/avahi-daemon (650)
   /sbin/dhclient3 (1157)
   /usr/sbin/named (1150)
   /usr/sbin/dhcpd3 (2209)
   /usr/sbin/avahi-daemon (648)
   /usr/sbin/cupsd (31908)
1 processes are in complain mode.
   /usr/sbin/ntpd (1792)
0 processes are unconfined but have a profile defined.

% echo $status
0

Output was the same regardless of whether apparmor-profiles was installed.

Changed in bind9 (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Kenyon,

Can you give the output of:
$ dpkg -l |egrep '(apparmor|bind9)'

Revision history for this message
Kenyon Ralph (kralph) wrote :

% dpkg -l |egrep '(apparmor|bind9)'
ii apparmor 2.3.1+1403-0ubuntu27.1 User-space parser utility for AppArmor
rc apparmor-profiles 2.3.1+1403-0ubuntu27.1 Profiles for AppArmor Security policies
ii apparmor-utils 2.3.1+1403-0ubuntu27.1 Utilities for controlling AppArmor
ii bind9 1:9.6.1.dfsg.P1-3 Internet Domain Name Server
ii bind9-host 1:9.6.1.dfsg.P1-3 Version of 'host' bundled with BIND 9.X
ii bind9utils 1:9.6.1.dfsg.P1-3 Utilities for BIND
ii libapparmor-perl 2.3.1+1403-0ubuntu27.1 AppArmor library Perl bindings
ii libapparmor1 2.3.1+1403-0ubuntu27.1 changehat AppArmor library
rc libbind9-30 1:9.4.2.dfsg.P2-2 BIND9 Shared Library used by BIND
rc libbind9-40 1:9.5.1.dfsg.P2-1ubuntu0.1 BIND9 Shared Library used by BIND
ii libbind9-50 1:9.6.1.dfsg.P1-3 BIND9 Shared Library used by BIND

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Ok, I now know the problem. What is happening is that the AppArmor profile for 9.10 added this line to the profile:
  /etc/ssl/openssl.cnf r,

On upgrade, the package reloads the profile with (see debian/bind9.postinst):
  apparmor_parser -r "$APP_PROFILE" || true

This was fine up until apparmor in 9.10 added cache files (which was after this change was made). When you install apparmor-profiles, it restarts apparmor via the initscript, which regenerates all the cache files. So apparmor-profiles has nothing to do with it-- it just happened to trigger regenerating the cache files.

I believe the fix to be to change the postinst script to have:
  apparmor_parser -T -W -r "$APP_PROFILE" || true

This will force writing of the cache and should fix this. LaMont, can you handle this in your next upload for Lucid?

Changed in bind9 (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
assignee: Jamie Strandboge (jdstrand) → LaMont Jones (lamont)
summary: - bind9 jaunty to karmic upgrade causes initial apparmor audit with
- openssl.cnf, seems fixed by installing apparmor-profiles but not really
+ bind9 apparmor cache files not regenerated on upgrade
Revision history for this message
Kees Cook (kees) wrote : Re: bind9 apparmor cache files not regenerated on upgrade

Finally tracked this down -- apparmor parser should be using ctime instead of mtime for cache vs profile comparisons.

affects: bind9 (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
assignee: LaMont Jones (lamont) → Kees Cook (kees)
Jamie Strandboge (jdstrand)
summary: - bind9 apparmor cache files not regenerated on upgrade
+ apparmor cache files not regenerated on upgrade
Kees Cook (kees)
Changed in apparmor (Ubuntu):
status: Triaged → In Progress
Kees Cook (kees)
description: updated
Kees Cook (kees)
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
description: updated
Changed in apparmor (Ubuntu Karmic):
status: New → Fix Committed
importance: Undecided → Medium
Changed in apparmor (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Karmic):
assignee: nobody → Kees Cook (kees)
Kees Cook (kees)
description: updated
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted apparmor into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Kenyon Ralph (kralph) wrote : Re: [Bug 466315] apparmor cache files not regenerated on upgrade

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2009-12-15T07:54:47-0000, Martin Pitt <email address hidden> wrote:
> Accepted apparmor into karmic-proposed, the package will build now and
> be available in a few hours. Please test and give feedback here. See
> https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
> enable and use -proposed. Thank you in advance!

The upgrade from 2.3.1+1403-0ubuntu27.2 to 2.3.1+1403-0ubuntu27.3 worked
fine, and BIND still works. I can't really test the upgrade from jaunty
to karmic again though (I could in a virtual machine, but that would
take me some time to set up).

- --
Kenyon Ralph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksn8JMACgkQmFtUtJKnbnXksACeLWXJ5TMsEXz/HEEqP/ywGfUw
9OkAn2OX9WgPXuSHHAYPgXtj7y/cvi4+
=MZYm
-----END PGP SIGNATURE-----

Martin Pitt (pitti)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu27.3

---------------
apparmor (2.3.1+1403-0ubuntu27.3) karmic-proposed; urgency=low

  * parser/parser_main.c: check ctime instead of mtime, since dpkg will
    install profiles with their publication dates, not install dates
    (LP: #466315, upstream bzr 1307).
  * debian/control: update Vcs field for karmic branch.
 -- Kees Cook <email address hidden> Wed, 11 Nov 2009 15:01:49 -0800

Changed in apparmor (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.