How to modify sbin.dhclient apparmor profile which is preventing automatic DHCP connection to network after upgrade to Ubuntu 24.04

Question

After upgrading to Ubuntu 24.04 I can't make any network connections, wired or wireless with automatic DHCP enabled. I have traced the problem to apparmor which is giving the following error messages in dmesg:

[ 3420.391018] audit: type=1400 audit(1717407527.425:349): apparmor="DENIED" operation="exec" class="file" profile="/{,usr/}sbin/dhclient" name="/usr/libexec/nm-dhcp-helper" pid=10351 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 3420.402616] audit: type=1400 audit(1717407527.437:350): apparmor="DENIED" operation="open" class="file" profile="/{,usr/}sbin/dhclient" name="/etc/hostid" pid=10342 comm="dhclient" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 3420.553759] audit: type=1400 audit(1717407527.588:351): apparmor="DENIED" operation="exec" class="file" profile="/{,usr/}sbin/dhclient" name="/usr/libexec/nm-dhcp-helper" pid=10352 comm="dhclient" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

This is further verified by disabling the apparmor profile /etc/apparmor.d/sbin.dhclient

This is the contents of this profile:

# vim:syntax=apparmor
#include <tunables/global>

/{,usr/}sbin/dhclient flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>

  capability net_bind_service,
  capability net_raw,
  capability dac_override,
  capability net_admin,

  network packet,
  network raw,

  @{PROC}/[0-9]*/net/ r,
  @{PROC}/[0-9]*/net/** r,

  # dhclient wants to update its threads with functional names
  # https://gitlab.com/apparmor/apparmor/-/merge_requests/730
  # see LP: #1918410
  owner @{PROC}/@{pid}/task/[0-9]*/comm rw,

  /{,usr/}sbin/dhclient mr,
  # LP: #1197484 and LP: #1202203 - why is this needed? :(
  /{,usr/}bin/bash mr,

  /etc/dhclient.conf r,
  /etc/dhcp/ r,
  /etc/dhcp/** r,

  /var/lib/dhcp{,3}/dhclient* lrw,
  /{,var/}run/dhclient*.pid lrw,
  /{,var/}run/dhclient*.lease* lrw,

  # NetworkManager
  /{,var/}run/nm*conf r,
  /{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw,
  /{,var/}run/NetworkManager/dhclient*.pid lrw,
  /var/lib/NetworkManager/dhclient*.conf lrw,
  /var/lib/NetworkManager/dhclient*.lease* lrw,
  signal (receive) peer=/usr/sbin/NetworkManager,
  ptrace (readby) peer=/usr/sbin/NetworkManager,

  # connman
  /{,var/}run/connman/dhclient*.pid lrw,
  /{,var/}run/connman/dhclient*.leases lrw,

  # synce-hal
  /usr/share/synce-hal/dhclient.conf r,

  # if there is a custom script, let it run unconfined
  /etc/dhcp/dhclient-script Uxr,

  # The dhclient-script shell script sources other shell scripts rather than
  # executing them, so we can't just use a separate profile for dhclient-script
  # with 'Uxr' on the hook scripts. However, for the long-running dhclient3
  # daemon to run arbitrary code via /sbin/dhclient-script, it would need to be
  # able to subvert dhclient-script or write to the hooks.d directories. As
  # such, if the dhclient3 daemon is subverted, this effectively limits it to
  # only being able to run the hooks scripts.
  /{,usr/}sbin/dhclient-script                           Uxr,

  # Since dhclient doesn't provide the option to disable hooks, which is
  # desireable in some cases, executing /bin/true as the script file suffices
  /{,usr/}bin/true                                       ixr,

  # Run the ELF executables under their own unrestricted profiles
  /usr/lib/NetworkManager/nm-dhcp-client.action   Pxrm,
  /usr/lib/connman/scripts/dhclient-script        Pxrm,

  # Support the new executable helper from NetworkManager.
  /usr/lib/NetworkManager/nm-dhcp-helper          Pxrm,
  signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/sbin.dhclient>
}

/usr/lib/NetworkManager/nm-dhcp-client.action {
  #include <abstractions/base>
  #include <abstractions/dbus>
  /usr/lib/NetworkManager/nm-dhcp-client.action mr,

  /var/lib/NetworkManager/*lease r,
  signal (receive) peer=/usr/sbin/NetworkManager,
  ptrace (readby) peer=/usr/sbin/NetworkManager,
  network inet dgram,
  network inet6 dgram,
}

/usr/lib/NetworkManager/nm-dhcp-helper {
  #include <abstractions/base>
  #include <abstractions/dbus>
  /usr/lib/NetworkManager/nm-dhcp-helper mr,

  /run/NetworkManager/private-dhcp rw,
  signal (send) peer=/sbin/dhclient,

  /var/lib/NetworkManager/*lease r,
  signal (receive) peer=/usr/sbin/NetworkManager,
  ptrace (readby) peer=/usr/sbin/NetworkManager,
  network inet dgram,
  network inet6 dgram,
}

/usr/lib/connman/scripts/dhclient-script {
  #include <abstractions/base>
  #include <abstractions/dbus>
  /usr/lib/connman/scripts/dhclient-script      mr,
  network inet dgram,
  network inet6 dgram,
}

My question is what do I need to change in this profile to correct the errors and allow automatic DHCP connection to work?

Title says Ubuntu 22,04 and the question asks about Ubuntu 24.04. Please correct so that people can know what to help you with, — David, Commented Jun 3 at 13:36

garybarnes59 · Accepted Answer · 2024-06-04 16:27:22Z

I have answered my own question after dabbling with apparmor.

Fundamentally it seems that during the wireless connection sequence a call is made to /usr/libexec/nm-dhcp-helper. In the profile there are permissions for /usr/lib/NetworkManager/nm-dhcp-helper, so I just duplicated these, replacing /usr/lib/NetworkManager with /usr/libexec. In addition a read attempt is made to /etc/hostid for which there is no entry, so I added one.

For actually finding the fault the errors can be viewed using dmesg. What is extremely useful is being able to set a profile to 'complain' as opposed to 'enforce' using apparmor-utils (sudo apt install apparmor-utils) with commands

aa-complain {path-to-profile} and aa-enforce {path-to-profile} once finished.

After changes the profile must be reloaded with

sudo systemctl reload apparmor.service.

I can't explain any of what this profile does, line-by-line, other than the permissions flags which are documented and largely self evident, i.e. r = read, x = execute.

Here is the modified /etc/apparmor.d/sbin.dhclient profile with the bits I added highlighted with ====== lines (3 blocks).

# vim:syntax=apparmor
#include <tunables/global>

/{,usr/}sbin/dhclient flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>

  capability net_bind_service,
  capability net_raw,
  capability dac_override,
  capability net_admin,

  network packet,
  network raw,

  @{PROC}/[0-9]*/net/ r,
  @{PROC}/[0-9]*/net/** r,

  # dhclient wants to update its threads with functional names
  # https://gitlab.com/apparmor/apparmor/-/merge_requests/730
  # see LP: #1918410
  owner @{PROC}/@{pid}/task/[0-9]*/comm rw,

  /{,usr/}sbin/dhclient mr,
  # LP: #1197484 and LP: #1202203 - why is this needed? :(
  /{,usr/}bin/bash mr,

  /etc/dhclient.conf r,
  /etc/dhcp/ r,
  /etc/dhcp/** r,

  /var/lib/dhcp{,3}/dhclient* lrw,
  /{,var/}run/dhclient*.pid lrw,
  /{,var/}run/dhclient*.lease* lrw,

  # NetworkManager
  /{,var/}run/nm*conf r,
  /{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw,
  /{,var/}run/NetworkManager/dhclient*.pid lrw,
  /var/lib/NetworkManager/dhclient*.conf lrw,
  /var/lib/NetworkManager/dhclient*.lease* lrw,
  signal (receive) peer=/usr/sbin/NetworkManager,
  ptrace (readby) peer=/usr/sbin/NetworkManager,

  # connman
  /{,var/}run/connman/dhclient*.pid lrw,
  /{,var/}run/connman/dhclient*.leases lrw,

  # synce-hal
  /usr/share/synce-hal/dhclient.conf r,

  # if there is a custom script, let it run unconfined
  /etc/dhcp/dhclient-script Uxr,

  # The dhclient-script shell script sources other shell scripts rather than
  # executing them, so we can't just use a separate profile for dhclient-script
  # with 'Uxr' on the hook scripts. However, for the long-running dhclient3
  # daemon to run arbitrary code via /sbin/dhclient-script, it would need to be
  # able to subvert dhclient-script or write to the hooks.d directories. As
  # such, if the dhclient3 daemon is subverted, this effectively limits it to
  # only being able to run the hooks scripts.
  /{,usr/}sbin/dhclient-script                           Uxr,

  # Since dhclient doesn't provide the option to disable hooks, which is
  # desireable in some cases, executing /bin/true as the script file suffices
  /{,usr/}bin/true                                       ixr,

  # Run the ELF executables under their own unrestricted profiles
  /usr/lib/NetworkManager/nm-dhcp-client.action   Pxrm,
  /usr/lib/connman/scripts/dhclient-script        Pxrm,

  # Support the new executable helper from NetworkManager.
  /usr/lib/NetworkManager/nm-dhcp-helper          Pxrm,
  signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,

  # =========================================================================
  # Added GJB 2024-04-06 for network DHCP problem
  /usr/libexec/nm-dhcp-helper                     Pxrm,
  signal (receive) peer=/usr/libexec/nm-dhcp-helper,
  # =========================================================================

  # Site-specific additions and overrides. See local/README for details.
  #include <local/sbin.dhclient>

  # =========================================================================
  # Added GJB 2024-06-04 for network DHCP problem
  /etc/hostid                                    r,
  # =========================================================================
}

/usr/lib/NetworkManager/nm-dhcp-client.action {
  #include <abstractions/base>
  #include <abstractions/dbus>
  /usr/lib/NetworkManager/nm-dhcp-client.action mr,

  /var/lib/NetworkManager/*lease r,
  signal (receive) peer=/usr/sbin/NetworkManager,
  ptrace (readby) peer=/usr/sbin/NetworkManager,
  network inet dgram,
  network inet6 dgram,
}

/usr/lib/NetworkManager/nm-dhcp-helper {
  #include <abstractions/base>
  #include <abstractions/dbus>
  /usr/lib/NetworkManager/nm-dhcp-helper mr,

  /run/NetworkManager/private-dhcp rw,
  signal (send) peer=/sbin/dhclient,

  /var/lib/NetworkManager/*lease r,
  signal (receive) peer=/usr/sbin/NetworkManager,
  ptrace (readby) peer=/usr/sbin/NetworkManager,
  network inet dgram,
  network inet6 dgram,
}

# ========================================================================
# Added GJB 2024-06-04 for network DHCP problem 

/usr/libexec/nm-dhcp-helper {
  #include <abstractions/base>
  #include <abstractions/dbus>
  /usr/libexec/nm-dhcp-helper mr,

  /run/NetworkManager/private-dhcp rw,
  signal (send) peer=/sbin/dhclient,

  /var/lib/NetworkManager/*lease r,
  signal (receive) peer=/usr/sbin/NetworkManager,
  ptrace (readby) peer=/usr/sbin/NetworkManager,
  network inet dgram,
  network inet6 dgram,
}
# ==========================================================================

/usr/lib/connman/scripts/dhclient-script {
  #include <abstractions/base>
  #include <abstractions/dbus>
  /usr/lib/connman/scripts/dhclient-script      mr,
  network inet dgram,
  network inet6 dgram,
}

Stack Exchange Network

How to modify sbin.dhclient apparmor profile which is preventing automatic DHCP connection to network after upgrade to Ubuntu 24.04

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
network-manager
dhcp
24.04
apparmor
dhclient
.

Hot Network Questions

How to modify sbin.dhclient apparmor profile which is preventing automatic DHCP connection to network after upgrade to Ubuntu 24.04

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged network-managerdhcp24.04apparmordhclient.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
network-manager
dhcp
24.04
apparmor
dhclient
.