[pkg-apparmor] Bug#983006: apt-cacher-ng apparmor profile denies access to /proc/sys/kernel/random/uuid which is read during restarts
Paul Wise
pabs at debian.org
Thu Feb 18 06:07:02 GMT 2021
Package: apparmor-profiles-extra
Version: 1.30
Severity: normal
File: /etc/apparmor.d/usr.sbin.apt-cacher-ng
X-Debbugs-CC: apt-cacher-ng at packages.debian.org
Usertags: apparmor
When I restart apt-cacher-ng, it tried to read a random UUID from Linux
and gets denied because the apparmor profile does not allow it. Despite
that denial it still gets started fine.
Feb 18 13:06:09 sudo[682638]: pabs : TTY=pts/5 ; PWD=/home/pabs ; USER=root ; COMMAND=/bin/systemctl restart apt-cacher-ng.service
Feb 18 13:06:09 sudo[682638]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
Feb 18 13:06:09 systemd[1]: Stopping Apt-Cacher NG software download proxy...
Feb 18 13:06:10 systemd[1]: apt-cacher-ng.service: Succeeded.
Feb 18 13:06:10 systemd[1]: Stopped Apt-Cacher NG software download proxy.
Feb 18 13:06:10 systemd[1]: Starting Apt-Cacher NG software download proxy...
Feb 18 13:06:10 kernel: audit: type=1400 audit(1613624770.098:70): apparmor="DENIED" operation="open" profile="apt-cacher-ng" name="/proc/sys/kernel/random/uuid" pid=682652 comm="apt-cacher-ng" requested_mask="r" denied_mask="r" fsuid=139 ouid=0
Feb 18 13:06:10 kernel: audit: type=1400 audit(1613624770.098:71): apparmor="DENIED" operation="open" profile="apt-cacher-ng" name="/proc/sys/kernel/random/uuid" pid=682652 comm="apt-cacher-ng" requested_mask="r" denied_mask="r" fsuid=139 ouid=0
Feb 18 13:06:10 systemd[1]: Started Apt-Cacher NG software download proxy.
Feb 18 13:06:10 sudo[682638]: pam_unix(sudo:session): session closed for user root
It appears as though this access comes from libevent:
$ for f in $(ldd /usr/sbin/apt-cacher-ng | grep -o '/[^ )]*') ; do strings $f | grep -q /uuid && echo $f ; fi ; done
/usr/lib/x86_64-linux-gnu/libevent_core-2.1.so.7
/usr/lib/x86_64-linux-gnu/libevent-2.1.so.7
I think this started when I upgraded to 3.6-1:
Start-Date: 2021-02-18 12:15:20
Commandline: /usr/bin/unattended-upgrade
Upgrade: apt-cacher-ng:amd64 (3.5-3, 3.6-1)
End-Date: 2021-02-18 12:15:31
This version does have some libevent related changes:
$ zcat /usr/share/doc/apt-cacher-ng/changelog.gz | sed -n '/(3.6)/,/(3.5)/p' | grep -A1 libevent
* Using asynchronous libevent DNS resolver instead of getaddrinfo from OS,
since the later turned out to be unreliable in stress tests
I'm not sure if these changes could have caused the change in behaviour
to trying to use the Linux kernel random UUID file, so I am CCing the
maintainer of the apt-cacher-ng package.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing-debug
APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-3-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apparmor-profiles-extra depends on:
ii apparmor 2.13.6-9
apparmor-profiles-extra recommends no packages.
apparmor-profiles-extra suggests no packages.
-- no debconf information
--
bye,
pabs
https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20210218/f62f326c/attachment.sig>
More information about the pkg-apparmor-team
mailing list