Thanks for working on this. I'll be happy to test whatever you come up with on Xenial/Bionic (4.4, 4.15 and 5.0 kernels) machines.
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_</var/snap/lxd/common/lxd>" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_</var/snap/lxd/common/lxd>//&:lxd-ns0_<var-snap-lxd-common-lxd>:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_<var-snap-lxd-common-lxd>" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw---- 1 root audio 116, 1 Sep 16 18:02 seq crw-rw---- 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware 1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name: Inspiron 530s dmi.sys.vendor: Dell Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1844186/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
