[Bug 1067473] Re: [quantal] isc-dhcp-client dropped network-interface-security symlink and therefore may run unconfined
Steve Langasek
steve.langasek at canonical.com
Sat Oct 20 06:03:12 UTC 2012
Hello Jamie, or anyone else affected,
Accepted isc-dhcp into quantal-proposed. The package will build now and
be available at http://launchpad.net/ubuntu/+source/isc-
dhcp/4.2.4-1ubuntu10.1 in a few hours, and then in the -proposed
repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Your feedback will aid us getting this update
out to other Ubuntu users.
If this package fixes the bug for you, please change the bug tag from
verification-needed to verification-done. If it does not, change the
tag to verification-failed. In either case, details of your testing
will help us make a better decision.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
** Changed in: isc-dhcp (Ubuntu Quantal)
Status: In Progress => Fix Committed
** Tags added: verification-needed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1067473
Title:
[quantal] isc-dhcp-client dropped network-interface-security symlink
and therefore may run unconfined
Status in “isc-dhcp” package in Ubuntu:
In Progress
Status in “isc-dhcp” source package in Quantal:
Fix Committed
Status in “isc-dhcp” source package in Raring:
In Progress
Bug description:
[IMPACT]
* dhclient is a root run process and successfully exploiting a flaw in dhclient could
have severe consequences for the user's system
[TESTCASE]
* On an Ubuntu server system using dhcp for an interface:
1. sudo aa-status # bug not fixed
...
1 processes are unconfined but have a profile defined.
/sbin/dhclient (<pid>)
2. install the updates
3. reboot
4. sudo aa-status # bug fixed
...
5 processes are in enforce mode.
/sbin/dhclient (<pid>)
...
0 processes are unconfined but have a profile defined.
[Regression Potential]
* Regression potential is low. The AppArmor profile for dhclient has been in use for
years and is still in effect on the default Ubuntu desktop because of when network
manager runs (the profile is loaded before the interface is brought up). Therefore
there should be no surprise denials.
= Initial report =
I was doing install audits of 12.10 and noticed this with 'sudo aa-status':
1 processes are unconfined but have a profile defined.
/sbin/dhclient (<pid removed>)
This is a regression over 12.04 and needs to be fixed in an SRU. I don't know what introduced the regression, but it is very likely a race condition. I saw it on 12.10 server but not on 12.10 desktop. It seems to be at least somewhat reproducible (rebooting once showed it is still affected) with an amd64 VM with 1024M of ram with installation defaults (except home directory is encrypted) and the following tasks installed:
Basic Ubuntu server
OpenSSH server
DNS server
LAMP server
Mail server
PostgreSQL database
Print server
Samba file server
Tomcat Java server
Virtual Machine host
Upon investigation this is because /etc/init/network-interface-security.conf is looking for files in /etc/apparmor/init/network-interface-security/*. Unfortunately, the quantal merge dropped this:
diff -Naur ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links
--- ./precise/isc-dhcp-4.1.ESV-R4/debian/isc-dhcp-client.links 2012-10-16 13:48:13.000000000 -0500
+++ ./quantal/isc-dhcp-4.2.4/debian/isc-dhcp-client.links 1969-12-31 18:00:00.000000000 -0600
@@ -1,3 +0,0 @@
-sbin/dhclient sbin/dhclient3
-usr/share/man/man8/dhclient.8.gz usr/share/man/man8/dhclient3.8.gz
-etc/apparmor.d/sbin.dhclient etc/apparmor/init/network-interface-security/sbin.dhclient
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1067473/+subscriptions
More information about the foundations-bugs
mailing list