Add back the AppArmorm stuff that is probabl necessary

bukka · bukka · commit 0b0ce3cde00a · 2025-07-28T14:06:33.000+02:00
diff --git a/ext/standard/tests/dns/bind-start.sh b/ext/standard/tests/dns/bind-start.sh
@@ -10,6 +10,12 @@ NAMED_CONF="$SCRIPT_DIR/named.conf"
 PID_FILE="$ZONES_DIR/named.pid"
 LOG_FILE="$SCRIPT_DIR/named.log"
 
+# Debug: show current user and permissions
+echo "Debug: Current user: $(whoami)"
+echo "Debug: Current UID: $(id -u)"
+echo "Debug: Script dir: $SCRIPT_DIR"
+echo "Debug: Zones dir: $ZONES_DIR"
+
 # Default mode: background
 FOREGROUND=false
 if [[ "${1:-}" == "-f" ]]; then
@@ -81,6 +87,22 @@ sed -e "s|@ZONES_DIR@|$ZONES_DIR|g" \
     -e "s|@LISTEN_ADDRESS@|$LISTEN_ADDRESS|g" \
     "$NAMED_CONF_TEMPLATE" > "$NAMED_CONF"
 
+# Ensure the generated config file is readable
+chmod 644 "$NAMED_CONF"
+
+# Debug: Check if the file is actually readable
+echo "Debug: Testing config file readability:"
+if [[ -r "$NAMED_CONF" ]]; then
+    echo "Debug: Config file is readable"
+else
+    echo "Debug: Config file is NOT readable"
+    ls -la "$NAMED_CONF"
+    exit 1
+fi
+
+# Ensure the generated config file is readable
+chmod 644 "$NAMED_CONF"
+
 # Determine the best user to run BIND as (do this early)
 echo "Debug: Determining user for BIND..."
 
@@ -100,6 +122,74 @@ else
   echo "Debug: Will run BIND as current user: $BIND_USER"
 fi
 
+# Handle AppArmor if present
+if [[ -f /etc/apparmor.d/usr.sbin.named ]]; then
+  echo "Debug: AppArmor profile detected, disabling it..."
+  
+  # Install apparmor-utils if not present
+  if ! command -v aa-disable >/dev/null 2>&1; then
+    echo "Debug: Installing apparmor-utils..."
+    apt-get update -qq
+    apt-get install -y apparmor-utils
+  fi
+  
+  # Disable the profile
+  aa-disable /usr/sbin/named 2>/dev/null || echo "Failed to disable AppArmor profile"
+  
+  echo "Debug: AppArmor status:"
+  aa-status 2>/dev/null | grep named || echo "No named profile found (good!)"
+else
+  echo "Debug: No AppArmor profile found for named"
+fi
+
+# Enhanced AppArmor handling
+if [[ -f /etc/apparmor.d/usr.sbin.named ]]; then
+  echo "Debug: AppArmor profile detected, attempting comprehensive bypass..."
+  
+  # Install apparmor-utils if not present
+  if ! command -v aa-complain >/dev/null 2>&1; then
+    echo "Debug: Installing apparmor-utils..."
+    apt-get update -qq
+    apt-get install -y apparmor-utils
+  fi
+  
+  # Check initial status
+  echo "Debug: Initial AppArmor status for named:"
+  aa-status 2>/dev/null | grep named || echo "No named profile in initial aa-status"
+  
+  # Try complain mode first
+  echo "Debug: Setting to complain mode..."
+  aa-complain /usr/sbin/named 2>/dev/null || echo "Failed to set AppArmor to complain mode"
+  
+  # Check what mode it's actually in
+  echo "Debug: AppArmor profile mode after complain:"
+  cat /sys/kernel/security/apparmor/profiles 2>/dev/null | grep named || echo "No named in profiles"
+  
+  # Try to completely disable it
+  echo "Debug: Attempting to disable AppArmor profile completely..."
+  aa-disable /usr/sbin/named 2>/dev/null || echo "Failed to disable AppArmor profile"
+  
+  # Alternative disable method
+  echo "Debug: Trying alternative disable method..."
+  ln -sf /etc/apparmor.d/usr.sbin.named /etc/apparmor.d/disable/ 2>/dev/null || echo "Symlink method failed"
+  
+  # Unload from kernel
+  if command -v apparmor_parser >/dev/null 2>&1; then
+    echo "Debug: Unloading profile from kernel..."
+    apparmor_parser -R /etc/apparmor.d/usr.sbin.named 2>/dev/null || echo "Failed to unload profile"
+  fi
+  
+  # Final status check
+  echo "Debug: Final AppArmor status:"
+  aa-status 2>/dev/null | grep named || echo "No named profile found (good!)"
+  
+elif [ -d /etc/apparmor.d/ ]; then
+  echo "Debug: AppArmor directory exists but no named profile found:"
+  ls /etc/apparmor.d/ | grep -i named || echo "No named-related profiles"
+else
+  echo "Debug: No AppArmor directory found"
+fi
+
 echo "Debug: Generated named.conf contents:"
 cat "$NAMED_CONF"
 
@@ -142,11 +232,103 @@ else
   echo "Debug: Setting up permissions for user: $BIND_USER..."
   
   # Ensure files are readable by the chosen user
-  if [[ "$BIND_USER" != "$(whoami)" ]]; then
-    # If we're running as a different user, ensure group/other permissions
-    chmod 644 "$NAMED_CONF" "$ZONES_DIR"/*.zone
-    chmod 755 "$SCRIPT_DIR" "$ZONES_DIR"
+  chmod 644 "$NAMED_CONF" "$ZONES_DIR"/*.zone
+  chmod 755 "$SCRIPT_DIR" "$ZONES_DIR"
+  
+  echo "Debug: File permissions after setup:"
+  ls -la "$NAMED_CONF" "$ZONES_DIR"/*.zone
+  
+  echo "Debug: Directory permissions:"
+  ls -ld "$SCRIPT_DIR" "$ZONES_DIR"
+  
+  # Test if the chosen user can actually read the config file
+  echo "Debug: Testing $BIND_USER access to config file:"
+  if [[ "$BIND_USER" == "$(whoami)" ]]; then
+    # Same user, test directly
+    if test -r "$NAMED_CONF"; then
+      echo "Debug: $BIND_USER CAN read config file"
+    else
+      echo "Debug: $BIND_USER CANNOT read config file"
+    fi
+  else
+    # Different user, test with sudo
+    if sudo -u "$BIND_USER" test -r "$NAMED_CONF" 2>/dev/null; then
+      echo "Debug: $BIND_USER CAN read config file"
+    else
+      echo "Debug: $BIND_USER CANNOT read config file"
+      echo "Debug: Checking what $BIND_USER sees:"
+      sudo -u "$BIND_USER" ls -la "$NAMED_CONF" 2>&1 || echo "$BIND_USER cannot stat the file"
+    fi
+  fi
+  
+  echo "Debug: File permissions after setup:"
+  ls -la "$NAMED_CONF" "$ZONES_DIR"/*.zone
+  
+  echo "Debug: Directory permissions:"
+  ls -ld "$SCRIPT_DIR" "$ZONES_DIR"
+  
+  # Test if the chosen user can actually read the config file
+  echo "Debug: Testing $BIND_USER access to config file:"
+  if [[ "$BIND_USER" == "$(whoami)" ]]; then
+    # Same user, test directly
+    if test -r "$NAMED_CONF"; then
+      echo "Debug: $BIND_USER CAN read config file"
+    else
+      echo "Debug: $BIND_USER CANNOT read config file"
+    fi
+  else
+    # Different user, test with sudo
+    if sudo -u "$BIND_USER" test -r "$NAMED_CONF" 2>/dev/null; then
+      echo "Debug: $BIND_USER CAN read config file"
+    else
+      echo "Debug: $BIND_USER CANNOT read config file"
+      echo "Debug: Checking what $BIND_USER sees:"
+      sudo -u "$BIND_USER" ls -la "$NAMED_CONF" 2>&1 || echo "$BIND_USER cannot stat the file"
+    fi
+  fi
+
+  # Check IPv4/IPv6 configuration with fallbacks
+  echo "Debug: Network configuration check:"
+  echo "Debug: localhost resolution:"
+  getent hosts localhost 2>/dev/null || echo "localhost not found in hosts"
+  
+  echo "Debug: 127.0.0.1 resolution:"
+  getent hosts 127.0.0.1 2>/dev/null || echo "127.0.0.1 not found"
+  
+  echo "Debug: Available IP addresses:"
+  if command -v ip >/dev/null 2>&1; then
+    ip addr show lo 2>/dev/null || echo "Failed to show loopback interface with ip"
+  else
+    ifconfig lo 2>/dev/null || echo "Failed to show loopback interface with ifconfig"
+  fi
+  
+  echo "Debug: Can we reach 127.0.0.1?"
+  ping -c 1 127.0.0.1 >/dev/null 2>&1 && echo "127.0.0.1 is reachable" || echo "127.0.0.1 is NOT reachable"
+  
+  echo "Debug: Can we reach ::1?"
+  if command -v ping6 >/dev/null 2>&1; then
+    ping6 -c 1 ::1 >/dev/null 2>&1 && echo "::1 is reachable" || echo "::1 is NOT reachable"
+  else
+    ping -6 -c 1 ::1 >/dev/null 2>&1 && echo "::1 is reachable (via ping -6)" || echo "::1 is NOT reachable"
+  fi
+  
+  # Check what's listening on port 53
+  echo "Debug: Processes listening on port 53:"
+  if command -v ss >/dev/null 2>&1; then
+    ss -tulpn 2>/dev/null | grep ':53' || echo "Debug: No processes found on port 53 (ss)"
+  else
+    netstat -tulpn 2>/dev/null | grep ':53' || echo "Debug: No processes found on port 53 (netstat)"
   fi
+  
+  echo "Debug: systemd-resolved status:"
+  systemctl is-active systemd-resolved 2>/dev/null || echo "systemd-resolved not active"
+
+  # Monitor AppArmor denials in background
+  echo "Debug: Starting AppArmor denial monitoring..."
+  (timeout 15 tail -f /var/log/syslog 2>/dev/null | grep "apparmor.*DENIED" | head -10 &) || echo "Could not start syslog monitoring"
+
+  # Use the determined user
+  echo "Debug: Using determined user: $BIND_USER"
 
   # Run named and capture both stdout and stderr separately
   echo "Debug: Starting named as user: $BIND_USER..."
@@ -158,6 +340,14 @@ else
     echo "Debug: Log file contents:"
     cat "$LOG_FILE" 2>/dev/null || echo "No log file found"
     
+    # Show any AppArmor denials
+    echo "Debug: Checking for AppArmor denials:"
+    grep "apparmor.*DENIED.*named" /var/log/syslog 2>/dev/null | tail -10 || echo "No AppArmor denials found in syslog"
+    
+    # Show general AppArmor messages
+    echo "Debug: Recent AppArmor messages for named:"
+    grep "apparmor.*named" /var/log/syslog 2>/dev/null | tail -10 || echo "No AppArmor messages found"
+    
     # Try to run named with more verbose output
     echo "Debug: Trying to run named in foreground for better error output:"
     timeout 5 named -c "$NAMED_CONF" -p 53 -u "$BIND_USER" -g -d 1 || echo "Foreground attempt timed out or failed"
@@ -197,5 +387,9 @@ else
     echo "No log file found at $LOG_FILE"
   fi
 
+  # Final AppArmor check
+  echo "Debug: Final AppArmor denial check:"
+  grep "apparmor.*DENIED.*named" /var/log/syslog 2>/dev/null | tail -5 || echo "No final AppArmor denials found"
+
   exit 1
-fi
+fi
