In the above regression we have lxd-ns0_</var/snap/lxd/common/lxd>//&:root//lxd-ns0_<var-snap-lxd- common-lxd>://unconfined
transitioning to lxd-ns0_</var/snap/lxd/common/lxd>//&:lxd-ns0_<var-snap-lxd-common- lxd>:/usr/sbin/nsd//&:root//lxd-ns0_<var-snap-lxd-common- lxd>:///usr/sbin/nsd this is not a strict subset of profiles, however the unconfined exception needs to be taken into account when nnp is set. There is a bug in the subset test, so that the unconfined exception is not being handled correctly. This affects all kernels, though to different degrees. kernels before the patch for bug 1839037 have this bug, but because of where the unconfined exception is tested (at the profile transition) it happens to work in this case. Other cases can be contrived where the transition will fail. Reverting the patch in bug 1839037 will fix the regression for this particular case. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_</var/snap/lxd/common/lxd>" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_</var/snap/lxd/common/lxd>//&:lxd-ns0_<var-snap-lxd-common-lxd>:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_<var-snap-lxd-common-lxd>" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw---- 1 root audio 116, 1 Sep 16 18:02 seq crw-rw---- 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware 1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name: Inspiron 530s dmi.sys.vendor: Dell Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1844186/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp