UnivrslSuprBoxsbeattie: You've been subscribed to 2012949 as requested12:30
ahasenackhi #security, apparmor question. I have this kea-lfc profile, and it contains this bit: https://pastebin.ubuntu.com/p/ZqD5ZX5sQ6/13:11
ahasenackyou'll note a comment wondering about including <abstractions/nameservice> instead of those individual rules for resolv.conf, nsswitch.conf, etc13:11
ahasenackI looked at that abstraction, and it will also allow ldap stuff (because nsswitch -> nss_ldap -> ldap stuff)13:11
ahasenacka bug came in just now, where a user has an actual /etc/resolv.conf file which is not a symlink to the stub in /run/systemd/....13:12
ahasenackand the obvious fix is to allow /etc/resolv.conf r, too13:12
ahasenackbut now I'm wondering even more whether it's just not better to include that abstraction13:12
sdezielthere are many valid targets for `/etc/resolv.conf`13:13
sdezielsystemd-resolved provide 2 (stub being the default)13:13
ahasenackafaik systemd was the only one replacing resolv.conf with a symlink, am I mistaken?13:14
ahasenackI thought resolvconf just replaced the file entirely13:14
ahasenack(but I have never used it, tbh)13:14
sdezielresolvconf and openresolv come to mind13:16
sdezielthat said, neither are in lunar anymore so maybe you can get away without the abstraction :)13:17
ahasenackthe other thing about using an abstraction, is that I can benefit from improvements done to the abstraction13:18
ahasenackit's like a library13:18
ahasenackbut that nameservice abstractions really does include many others13:20
ahasenacknis, ldapclient, winbind, likewise (!), mdns, kerberosclient, nss-systemd13:20
ahasenacklikewise(-open), I think that was from lucid13:20
ahasenackback when we momentarily had a big push to ldapify things13:20
sdezielI personally always go with the abstraction but I'm curious to hear from #security as well :)13:22
sdezielahasenack: I didn't look at the full apparmor profile but if you don't include the `<abstractions/nameservice>` you probably need to allow the network bits to let the connection to the DNS server happen13:25
ahasenackone downside is that, if there is a problem with the abstraction, fixing that is going to be in a different package13:25
ahasenackI allow dgram, for udp13:26
ahasenackthe nameservice abstraction does allow that and more13:26
ahasenackstream also, for ipv4 and ipv613:26
ahasenackso maybe that's another reason to include the abstraction instead13:26
ahasenackok, I'm almost convinced13:27
sdezielahasenack: the user lookup also sometimes require the dbus rules13:27
ahasenackI wouldn't expect this user (a system user: _kea) to be in ldap or any other network-type of user db lookup, but I don't know about dbus being user for that13:32
ahasenackthat would be a systemd thing I suspect?13:32
ahasenackdynamic systemd users, for services?13:32
sdezielyeah, I'll try to dig up the bug I'm half remembering, sec13:33
sdezielahasenack: https://bugs.launchpad.net/snapd/+bug/186902413:34
-ubottu:#ubuntu-security- Launchpad bug 1869024 in apparmor (Ubuntu) "add support for DynamicUser feature of systemd" [High, Fix Released]13:34
ahasenack"The abstraction is meant to cover the client, not systemd internal specifics. A client simply accessing that DBus API won't need it and a client simply accessing those sockets won't need it."13:36
ahasenackmight not need it, though13:36
ahasenackor was that about boot_iod13:36
ahasenackor was that about boot_id13:36
sdezielhttps://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1796911 <= from you where bind/named would trip on this13:36
-ubottu:#ubuntu-security- Launchpad bug 1796911 in apparmor (Ubuntu) "libnss-systemd was denied talking to pid1" [High, Fix Released]13:36
ahasenackhuh, I filed that13:37
sdezielthat comment about the client not needing those doesn't apply here because kea is the daemon doing the UID change so causing the user lookup, no?13:38
ahasenackwe don't even have resolvconf anymore (going back to /etc/resolv.conf), but debian does13:40
ahasenackthis was a bug filed by a debian user against debian, btw13:40
ahasenackI'm monitoring the isc-kea debian bugs because my apparmor profile landed there too13:40
ahasenackok, install resolvconf in debian, and you get /etc/resolv.conf -> ../run/resolvconf/resolv.conf13:44
ahasenackwhich the nameservice abstraction covers13:45
ahasenackbut not my profile13:45

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!