From eeac8c11c935edf9eea2bed825af6c57e9fb52e3 Mon Sep 17 00:00:00 2001 From: Rich McAllister Date: Tue, 31 Mar 2020 21:01:21 -0700 Subject: [PATCH] abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns In focal users of mdns get denials in apparmor confined applications. An exampel can be found in the original bug below. It seems it is a common pattern, see https://github.com/lathiat/nss-mdns#etcmdnsallow Therefore I'm asking to add /etc/mdns.allow r, to the file /etc/apparmor.d/abstractions/mdns" by default. --- original bug --- Many repetitions of audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0 in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains hosts: files mdns [NOTFOUND=return] myhostname dns and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.) Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow. Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629 Signed-off-by: John Johansen --- profiles/apparmor.d/abstractions/mdns | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/apparmor.d/abstractions/mdns b/profiles/apparmor.d/abstractions/mdns index 6cd842cff..89b199be5 100644 --- a/profiles/apparmor.d/abstractions/mdns +++ b/profiles/apparmor.d/abstractions/mdns @@ -9,6 +9,7 @@ # ------------------------------------------------------------------ # mdnsd + /etc/mdns.allow r, /etc/nss_mdns.conf r, @{run}/mdnsd w,