Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1029197: ip-transparent: yes is blocked by apparmor
96 views
Skip to first unread message
Tiger!P
Jan 19, 2023, 8:40:03 AM1/19/23
to
Package: unbound
Version: 1.17.0-1
Severity: normal
Tags: patch
Dear Maintainer,
* What led up to the situation?
I wanted to configure a static IPv6 address in unbound, but that is not
(always) available when booting the system. Therefor I enabled
ip-transparent in the server section.
* What exactly did you do (or not do) that was effective (or
ineffective)?
When I enabled 'ip-transparent: yes' in the server section, apparmor
blocked some capabilities when restarting unbound.
Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:65): apparmor="DENIED" operation="capable" profile="unbound" pid=1072585 comm="unbound" capability=13 capname="net_raw"
Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:66): apparmor="DENIED" operation="capable" profile="unbound" pid=1072585 comm="unbound" capability=12 capname="net_admin"
* What outcome did you expect instead?
I would have expected that unbound would not be blocked by apparmor and
would be able to use the ip-transparent option without issue.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unbound depends on:
ii adduser 3.130
ii init-system-helpers 1.65.2
ii libc6 2.36-8
ii libevent-2.1-7 2.1.12-stable-5+b1
ii libnghttp2-14 1.51.0-1
ii libprotobuf-c1 1.4.1-1+b1
ii libpython3.10 3.10.9-1
ii libssl3 3.0.7-1
ii libsystemd0 252.4-1
ii lsb-base 11.5
ii sysvinit-utils [lsb-base] 3.06-2
Versions of packages unbound recommends:
ii dns-root-data 2023010101
Versions of packages unbound suggests:
ii apparmor 3.0.8-1
ii openssl 3.0.7-1
-- no debconf information
Version: 1.17.0-1
Severity: normal
Tags: patch
Dear Maintainer,
* What led up to the situation?
I wanted to configure a static IPv6 address in unbound, but that is not
(always) available when booting the system. Therefor I enabled
ip-transparent in the server section.
* What exactly did you do (or not do) that was effective (or
ineffective)?
When I enabled 'ip-transparent: yes' in the server section, apparmor
blocked some capabilities when restarting unbound.
Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:65): apparmor="DENIED" operation="capable" profile="unbound" pid=1072585 comm="unbound" capability=13 capname="net_raw"
Jan 19 13:37:20 kernel: audit: type=1400 audit(1674131840.250:66): apparmor="DENIED" operation="capable" profile="unbound" pid=1072585 comm="unbound" capability=12 capname="net_admin"
* What outcome did you expect instead?
I would have expected that unbound would not be blocked by apparmor and
would be able to use the ip-transparent option without issue.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unbound depends on:
ii adduser 3.130
ii init-system-helpers 1.65.2
ii libc6 2.36-8
ii libevent-2.1-7 2.1.12-stable-5+b1
ii libnghttp2-14 1.51.0-1
ii libprotobuf-c1 1.4.1-1+b1
ii libpython3.10 3.10.9-1
ii libssl3 3.0.7-1
ii libsystemd0 252.4-1
ii lsb-base 11.5
ii sysvinit-utils [lsb-base] 3.06-2
Versions of packages unbound recommends:
ii dns-root-data 2023010101
Versions of packages unbound suggests:
ii apparmor 3.0.8-1
ii openssl 3.0.7-1
-- no debconf information
Simon Deziel
Jan 19, 2023, 9:40:04 AM1/19/23
to
On 2023-01-19 08:35, Tiger!P wrote:
> Package: unbound
> Version: 1.17.0-1
> Severity: normal
> Tags: patch
>
> Dear Maintainer,
>
> * What led up to the situation?
> I wanted to configure a static IPv6 address in unbound, but that is not
> (always) available when booting the system. Therefor I enabled
> ip-transparent in the server section.
On Linux, you can use "ip-freebind: yes" which doesn't require any
> Package: unbound
> Version: 1.17.0-1
> Severity: normal
> Tags: patch
>
> Dear Maintainer,
>
> * What led up to the situation?
> I wanted to configure a static IPv6 address in unbound, but that is not
> (always) available when booting the system. Therefor I enabled
> ip-transparent in the server section.
additional capability. Here's the man unbound.conf description snippet
for it:
> Allows you to bind to IP addresses that are nonlocal or do not exist,
> like when the network interface or IP address is down.
Works like a charm as I discovered 2 days ago when running into the same
situation as you (IPv6 not being present when unbound starts).
HTH,
Simon
0 new messages