[pkg-apparmor] Bug#881460: apparmor-profiles: dhclient set to enforce prevents getting an IPv4 with DHCP

intrigeri intrigeri at debian.org
Sun Nov 12 10:52:43 UTC 2017 

Control: severity -1 minor
Control: tag -1 + upstream

Dear Gabriel,

Gabriel Filion:
> Severity: critical
> Justification: breaks unrelated software

Let's sort this out first as there seems to be a misunderstanding.
IMO this bug is not RC because:

1. The profile this bug report is about is not enforced by default;
   it's not even shipped in /etc/apparmor.d. It takes 2 manual steps
   to enforce it, so thankfully, we're far from shipping a broken
   default configuration :)

2. This profile is shipped in a directory whose README says:

     The profiles in this directory are not turned on by default
     because they are not as mature as the profiles in
     /etc/apparmor.d/.

     In some cases, it is because the profile hasn't been updated to
     work with newer code; in other cases, it because any benefit
     provided by the profile is much less than the potential for
     causing problems.

     In short, feel free to try these profiles if you wish, but be
     aware that they may not work on default configurations, let alone
     your specific configuration.

If you came across instructions that told you to enforce such profiles
and that did not point you to the aforementioned warning, then I'm
very sorry! I'll treat this as a RC bug. Please point me to that doc
and I'll fix it ASAP. Thanks in advance!

> I've started using apparmor very recently,

Cool, thanks a lot :)

> and when I rebooted to activate the kernel part, I didn't notice the
> issue below.. but a couple reboots afterwards I couldn't obtain
> a DHCP address anymore for wired and wifi interfaces.

Thanks for reporting this. I'm sorry this profile broke an essential
part of your system. I'm not surprised though: to the best of my
knowledge, nobody is actively using this profile on, and maintaining
this profile for, Debian. Quite some paths in it don't match where
things are shipped in Debian. This is why we don't enable this profile
by default.

The good news is that there is a dhclient profile available elsewhere,
that works way better on Debian: see #795467.

The bad news is that the current situation is very confusing.
One might expect that Ubuntu, as the main contributor to AppArmor
upstream, would keep the upstream profile in sync' with what they are
shipping in their distro, but it's not the case currently; there are
probably historical reasons for it and I understand it may not be high
on the priority list at the moment since they have something that
works fine for them.

Ideally, someone would upstream the (upstream - Ubuntu profile) delta.
And then we can decide whether we ship it via isc-dhcp-client
(synchronizing it regularly from src:apparmor) or in the
apparmor-profiles package.

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list