[Kernel-packages] [Bug 1701297] Re: NTP reload failure (unable to read library) on overlayfs
Andres, can you be more specific about the kernel version of the hwe kernel you are seeing this on? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1701297 Title: NTP reload failure (unable to read library) on overlayfs Status in cloud-init: Incomplete Status in apparmor package in Ubuntu: Confirmed Status in cloud-init package in Ubuntu: Incomplete Status in linux package in Ubuntu: Confirmed Bug description: After update [1] of cloud-init in Ubuntu (which landed in xenial- updates on 2017-06-27), it is causing NTP reload failures. https://launchpad.net/ubuntu/+source/cloud-init/0.7.9-153-g16a7302f- 0ubuntu1~16.04.1 In MAAS scenarios, this is causing the machine to fail to deploy. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1701297/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1696369] Re: linux: 4.10.0-23.25 -proposed tracker
Looks good ** Changed in: kernel-sru-workflow/security-signoff Status: In Progress => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1696369 Title: linux: 4.10.0-23.25 -proposed tracker Status in Kernel SRU Workflow: In Progress Status in Kernel SRU Workflow automated-testing series: Incomplete Status in Kernel SRU Workflow certification-testing series: Confirmed Status in Kernel SRU Workflow prepare-package series: Fix Released Status in Kernel SRU Workflow prepare-package-meta series: Fix Released Status in Kernel SRU Workflow prepare-package-signed series: Fix Released Status in Kernel SRU Workflow promote-to-proposed series: Fix Released Status in Kernel SRU Workflow promote-to-security series: New Status in Kernel SRU Workflow promote-to-updates series: New Status in Kernel SRU Workflow regression-testing series: Confirmed Status in Kernel SRU Workflow security-signoff series: Fix Released Status in Kernel SRU Workflow upload-to-ppa series: Invalid Status in Kernel SRU Workflow verification-testing series: Confirmed Status in linux package in Ubuntu: Invalid Status in linux source package in Zesty: New Bug description: This bug is for tracking the upload package. This bug will contain status and testing results related to that upload. For an explanation of the tasks and the associated workflow see: https://wiki.ubuntu.com/Kernel/kernel-sru-workflow backports: 1696370,1696371 derivatives: 1696372 -- swm properties -- boot-testing-requested: true phase: Promoted to proposed proposed-announcement-sent: true proposed-testing-requested: true To manage notifications about this bug go to: https://bugs.launchpad.net/kernel-sru-workflow/+bug/1696369/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1696365] Re: linux: 4.8.0-55.58 -proposed tracker
Looks good ** Changed in: kernel-sru-workflow/security-signoff Status: In Progress => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1696365 Title: linux: 4.8.0-55.58 -proposed tracker Status in Kernel SRU Workflow: In Progress Status in Kernel SRU Workflow automated-testing series: Fix Released Status in Kernel SRU Workflow certification-testing series: In Progress Status in Kernel SRU Workflow prepare-package series: Fix Released Status in Kernel SRU Workflow prepare-package-meta series: Fix Released Status in Kernel SRU Workflow prepare-package-signed series: Fix Released Status in Kernel SRU Workflow promote-to-proposed series: Fix Released Status in Kernel SRU Workflow promote-to-security series: New Status in Kernel SRU Workflow promote-to-updates series: New Status in Kernel SRU Workflow regression-testing series: Confirmed Status in Kernel SRU Workflow security-signoff series: Fix Released Status in Kernel SRU Workflow upload-to-ppa series: Invalid Status in Kernel SRU Workflow verification-testing series: Confirmed Status in linux package in Ubuntu: Invalid Status in linux source package in Yakkety: New Bug description: This bug is for tracking the upload package. This bug will contain status and testing results related to that upload. For an explanation of the tasks and the associated workflow see: https://wiki.ubuntu.com/Kernel/kernel-sru-workflow backports: 1696366 derivatives: 1696367 -- swm properties -- boot-testing-requested: true phase: Promoted to proposed proposed-announcement-sent: true proposed-testing-requested: true To manage notifications about this bug go to: https://bugs.launchpad.net/kernel-sru-workflow/+bug/1696365/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1696362] Re: linux-aws: 4.4.0-1019.28 -proposed tracker
Looks good -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-aws in Ubuntu. https://bugs.launchpad.net/bugs/1696362 Title: linux-aws: 4.4.0-1019.28 -proposed tracker Status in Kernel SRU Workflow: In Progress Status in Kernel SRU Workflow automated-testing series: Fix Released Status in Kernel SRU Workflow certification-testing series: Invalid Status in Kernel SRU Workflow prepare-package series: Fix Released Status in Kernel SRU Workflow prepare-package-meta series: Fix Released Status in Kernel SRU Workflow promote-to-proposed series: Fix Released Status in Kernel SRU Workflow promote-to-security series: New Status in Kernel SRU Workflow promote-to-updates series: New Status in Kernel SRU Workflow regression-testing series: Confirmed Status in Kernel SRU Workflow security-signoff series: Fix Released Status in Kernel SRU Workflow upload-to-ppa series: New Status in Kernel SRU Workflow verification-testing series: Confirmed Status in linux-aws package in Ubuntu: Invalid Status in linux-aws source package in Xenial: New Bug description: This bug is for tracking the upload package. This bug will contain status and testing results related to that upload. For an explanation of the tasks and the associated workflow see: https://wiki.ubuntu.com/Kernel/kernel-sru-workflow -- swm properties -- boot-testing-requested: true kernel-stable-master-bug: 1696357 phase: Promoted to proposed proposed-announcement-sent: true proposed-testing-requested: true To manage notifications about this bug go to: https://bugs.launchpad.net/kernel-sru-workflow/+bug/1696362/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1696362] Re: linux-aws: 4.4.0-1019.28 -proposed tracker
Looks good ** Changed in: kernel-sru-workflow/security-signoff Status: In Progress => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-aws in Ubuntu. https://bugs.launchpad.net/bugs/1696362 Title: linux-aws: 4.4.0-1019.28 -proposed tracker Status in Kernel SRU Workflow: In Progress Status in Kernel SRU Workflow automated-testing series: Fix Released Status in Kernel SRU Workflow certification-testing series: Invalid Status in Kernel SRU Workflow prepare-package series: Fix Released Status in Kernel SRU Workflow prepare-package-meta series: Fix Released Status in Kernel SRU Workflow promote-to-proposed series: Fix Released Status in Kernel SRU Workflow promote-to-security series: New Status in Kernel SRU Workflow promote-to-updates series: New Status in Kernel SRU Workflow regression-testing series: Confirmed Status in Kernel SRU Workflow security-signoff series: Fix Released Status in Kernel SRU Workflow upload-to-ppa series: New Status in Kernel SRU Workflow verification-testing series: Confirmed Status in linux-aws package in Ubuntu: Invalid Status in linux-aws source package in Xenial: New Bug description: This bug is for tracking the upload package. This bug will contain status and testing results related to that upload. For an explanation of the tasks and the associated workflow see: https://wiki.ubuntu.com/Kernel/kernel-sru-workflow -- swm properties -- boot-testing-requested: true kernel-stable-master-bug: 1696357 phase: Promoted to proposed proposed-announcement-sent: true proposed-testing-requested: true To manage notifications about this bug go to: https://bugs.launchpad.net/kernel-sru-workflow/+bug/1696362/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1696357] Re: linux: 4.4.0-80.101 -proposed tracker
Loooks good ** Changed in: kernel-sru-workflow/security-signoff Status: In Progress => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1696357 Title: linux: 4.4.0-80.101 -proposed tracker Status in Kernel SRU Workflow: In Progress Status in Kernel SRU Workflow automated-testing series: Incomplete Status in Kernel SRU Workflow certification-testing series: In Progress Status in Kernel SRU Workflow prepare-package series: Fix Released Status in Kernel SRU Workflow prepare-package-meta series: Fix Released Status in Kernel SRU Workflow prepare-package-signed series: Fix Released Status in Kernel SRU Workflow promote-to-proposed series: Fix Released Status in Kernel SRU Workflow promote-to-security series: New Status in Kernel SRU Workflow promote-to-updates series: New Status in Kernel SRU Workflow regression-testing series: Confirmed Status in Kernel SRU Workflow security-signoff series: Fix Released Status in Kernel SRU Workflow upload-to-ppa series: Invalid Status in Kernel SRU Workflow verification-testing series: Confirmed Status in linux package in Ubuntu: Invalid Status in linux source package in Xenial: New Bug description: This bug is for tracking the upload package. This bug will contain status and testing results related to that upload. For an explanation of the tasks and the associated workflow see: https://wiki.ubuntu.com/Kernel/kernel-sru-workflow backports: 1696358 derivatives: 1696359,1696360,1696362,1696363,1696364 -- swm properties -- boot-testing-requested: true phase: Promoted to proposed proposed-announcement-sent: true proposed-testing-requested: true To manage notifications about this bug go to: https://bugs.launchpad.net/kernel-sru-workflow/+bug/1696357/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1696352] Re: linux: 3.13.0-120.167 -proposed tracker
Looks good ** Changed in: kernel-sru-workflow/security-signoff Status: In Progress => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1696352 Title: linux: 3.13.0-120.167 -proposed tracker Status in Kernel SRU Workflow: In Progress Status in Kernel SRU Workflow automated-testing series: Fix Released Status in Kernel SRU Workflow certification-testing series: Fix Released Status in Kernel SRU Workflow prepare-package series: Fix Released Status in Kernel SRU Workflow prepare-package-meta series: Fix Released Status in Kernel SRU Workflow prepare-package-signed series: Fix Released Status in Kernel SRU Workflow promote-to-proposed series: Fix Released Status in Kernel SRU Workflow promote-to-security series: New Status in Kernel SRU Workflow promote-to-updates series: New Status in Kernel SRU Workflow regression-testing series: Fix Released Status in Kernel SRU Workflow security-signoff series: Fix Released Status in Kernel SRU Workflow upload-to-ppa series: Invalid Status in Kernel SRU Workflow verification-testing series: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Trusty: New Bug description: This bug is for tracking the upload package. This bug will contain status and testing results related to that upload. For an explanation of the tasks and the associated workflow see: https://wiki.ubuntu.com/Kernel/kernel-sru-workflow backports: 1696354 derivatives: -- swm properties -- boot-testing-requested: true phase: Promoted to proposed proposed-announcement-sent: true proposed-testing-requested: true To manage notifications about this bug go to: https://bugs.launchpad.net/kernel-sru-workflow/+bug/1696352/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1698919] Re: CVE-2017-1000364
CVE-2017-1000364 ** Also affects: linux (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: linux-ti-omap4 (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: linux-raspi2 (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux-ti-omap4 (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux-raspi2 (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux-ti-omap4 (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux-raspi2 (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux-ti-omap4 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux-raspi2 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: linux-ti-omap4 (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: linux-raspi2 (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: linux-ti-omap4 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: linux-raspi2 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: linux-ti-omap4 (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: linux-raspi2 (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: linux-lts-wily (Ubuntu Artful) Status: New => Invalid ** Changed in: linux-lts-wily (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-lts-wily (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-lts-wily (Ubuntu Zesty) Status: New => Invalid ** Changed in: linux-joule (Ubuntu Artful) Status: New => Invalid ** Changed in: linux-joule (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-joule (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-joule (Ubuntu Zesty) Status: New => Invalid ** Changed in: linux-gke (Ubuntu Artful) Status: New => Invalid ** Changed in: linux-gke (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-gke (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-gke (Ubuntu Zesty) Status: New => Invalid ** Changed in: linux-ti-omap4 (Ubuntu Artful) Status: New => Invalid ** Changed in: linux-ti-omap4 (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-ti-omap4 (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-ti-omap4 (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-ti-omap4 (Ubuntu Zesty) Status: New => Invalid ** Changed in: linux-lts-xenial (Ubuntu Artful) Status: New => Invalid ** Changed in: linux-lts-xenial (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-lts-xenial (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-lts-xenial (Ubuntu Zesty) Status: New => Invalid ** Changed in: linux-hwe-edge (Ubuntu Artful) Status: New => Invalid ** Changed in: linux-hwe-edge (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-hwe-edge (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-hwe-edge (Ubuntu Zesty) Status: New => Invalid ** Changed in: linux-manta (Ubuntu Artful) Status: New => Invalid ** Changed in: linux-manta (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-manta (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-manta (Ubuntu Zesty) Status: New => Invalid ** Changed in: linux-azure (Ubuntu Artful) Status: New => Invalid ** Changed in: linux-azure (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-azure (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-azure (Ubuntu Zesty) Status: New => Invalid ** Changed in: linux-lts-vivid (Ubuntu Artful) Status: New => Invalid ** Changed in: linux-lts-vivid (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-lts-vivid (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-lts-vivid (Ubuntu Zesty) Status: New => Invalid ** Changed in: linux-aws (Ubuntu Artful) Status: New => Invalid ** Changed in: linux-aws (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-aws (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-aws (Ubuntu Zesty) Status: New => Invalid ** Changed i
[Kernel-packages] [Bug 1698919] [NEW] CVE-2017-1000364
*** This bug is a security vulnerability *** Public security bug reported: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be jumped over Break-Fix: 320b2b8de12698082609ebbc1a17165727f4c893 - ** Affects: linux (Ubuntu) Importance: High Status: New ** Affects: linux-aws (Ubuntu) Importance: High Status: Invalid ** Affects: linux-azure (Ubuntu) Importance: High Status: Invalid ** Affects: linux-flo (Ubuntu) Importance: High Status: Invalid ** Affects: linux-gke (Ubuntu) Importance: High Status: Invalid ** Affects: linux-goldfish (Ubuntu) Importance: High Status: Invalid ** Affects: linux-hwe (Ubuntu) Importance: High Status: Invalid ** Affects: linux-hwe-edge (Ubuntu) Importance: High Status: Invalid ** Affects: linux-joule (Ubuntu) Importance: High Status: Invalid ** Affects: linux-lts-utopic (Ubuntu) Importance: High Status: Invalid ** Affects: linux-lts-vivid (Ubuntu) Importance: High Status: Invalid ** Affects: linux-lts-wily (Ubuntu) Importance: High Status: Invalid ** Affects: linux-lts-xenial (Ubuntu) Importance: High Status: Invalid ** Affects: linux-mako (Ubuntu) Importance: High Status: Invalid ** Affects: linux-manta (Ubuntu) Importance: High Status: Invalid ** Affects: linux-raspi2 (Ubuntu) Importance: High Status: New ** Affects: linux-snapdragon (Ubuntu) Importance: High Status: New ** Affects: linux-ti-omap4 (Ubuntu) Importance: High Status: Invalid ** Affects: linux (Ubuntu Trusty) Importance: High Status: New ** Affects: linux-aws (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-azure (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-flo (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-gke (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-goldfish (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-hwe (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-hwe-edge (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-joule (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-lts-utopic (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-lts-vivid (Ubuntu Trusty) Importance: High Status: New ** Affects: linux-lts-wily (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-lts-xenial (Ubuntu Trusty) Importance: High Status: New ** Affects: linux-mako (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-manta (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-raspi2 (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-snapdragon (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux-ti-omap4 (Ubuntu Trusty) Importance: High Status: Invalid ** Affects: linux (Ubuntu Xenial) Importance: High Status: New ** Affects: linux-aws (Ubuntu Xenial) Importance: High Status: New ** Affects: linux-azure (Ubuntu Xenial) Importance: High Status: New ** Affects: linux-flo (Ubuntu Xenial) Importance: High Status: Invalid ** Affects: linux-gke (Ubuntu Xenial) Importance: High Status: New ** Affects: linux-goldfish (Ubuntu Xenial) Importance: High Status: New ** Affects: linux-hwe (Ubuntu Xenial) Importance: High Status: New ** Affects: linux-hwe-edge (Ubuntu Xenial) Importance: High Status: New ** Affects: linux-joule (Ubuntu Xenial) Importance: High Status: New ** Affects: linux-lts-utopic (Ubuntu Xenial) Importance: High Status: Invalid ** Affects: linux-lts-vivid (Ubuntu Xenial) Importance: High Status: Invalid ** Affects: linux-lts-wily (Ubuntu Xenial) Importance: High Status: Invalid ** Affects: linux-lts-xenial (Ubuntu Xenial) Importance: High Status: Invalid ** Affects: linux-mako (Ubuntu Xenial) Importance: High Status: Invalid ** Affects: linux-manta (Ubuntu Xenial) Importance: High Status: Invalid ** Affects: linux-raspi2 (Ubuntu Xenial) Importance: High Status: New ** Affects: linux-snapdragon (Ubuntu Xenial) Importance: High Status: New ** Affects: linux-ti-omap4 (Ubuntu Xenial) Importance: High Status: Invalid ** Affects: linux (Ubuntu Yakkety) Importance: High Status: New ** Affects: linux-aw
[Kernel-packages] [Bug 1684481] Re: KVM guest execution start apparmor blocks on /dev/ptmx now (regression?)
Thanks Stéphane, @Christian, it looks like adding a rule /dev/pts/ptmx rw, to the profile is necessary for now. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1684481 Title: KVM guest execution start apparmor blocks on /dev/ptmx now (regression?) Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Status in lxc package in Ubuntu: Triaged Status in lxd package in Ubuntu: Invalid Bug description: Setup: - Xenial host - lxd guests with Trusty, Xenial, ... - add a LXD profile to allow kvm [3] (inspired by stgraber) - spawn KVM guests in the LXD guests using the different distro release versions - guests are based on the uvtool default template which has a serial console [4] Issue: - guest starting with serial device gets blocked by apparmor and killed on creation - This affects at least ppc64el and x86 (s390x has no serial concept that would match) - This appeared in our usual checks on -proposed releases so maybe we can/should stop something? Last good was "Apr 5, 2017 10:40:50 AM" first bad one "Apr 8, 2017 5:11:22 AM" Background: We use this setup for a while and it was working without a change on our end. Also the fact that it still works in the Trusty LXD makes it somewhat suspicious. Therefore I'd assume an SRUed change in LXD/Kernel/Apparmor might be the reason and open this bug to get your opinion on it. You can look into [1] and search for uvt-kvm create in it. Deny in dmesg: [652759.606218] audit: type=1400 audit(1492671353.134:4520): apparmor="DENIED" operation="open" namespace="root//lxd-testkvm-xenial-from_" profile="libvirt-668e21f1-fa55-4a30-b325-0ed5cfd55e5b" name="/dev/pts/ptmx" pid=27162 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Qemu-log: 2017-04-20T06:55:53.139450Z qemu-system-ppc64: -chardev pty,id=charserial0: Failed to create PTY: No such file or directory There was a similar issue on qmeu namespacing (which we don't use on any of these releases) [2]. While we surely don't have the "same" issue the debugging on the namespacing might be worth as it could be related. Workaround for now: - drop serial section from guest xml [1]: https://jenkins.ubuntu.com/server/view/Virt/job/virt-migration-cross-release-amd64/78/consoleFull [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1421036 [3]: https://git.launchpad.net/~ubuntu-server/ubuntu/+source/qemu-migration-test/tree/kvm_profile.yaml [4]: https://libvirt.org/formatdomain.html#elementsCharPTY --- ApportVersion: 2.20.1-0ubuntu2.5 Architecture: ppc64el DistroRelease: Ubuntu 16.04 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl Package: lxd PackageArchitecture: ppc64el ProcKernelCmdline: root=UUID=902eaad1-2164-4f9a-bec4-7ff3abc15804 ro console=hvc0 ProcLoadAvg: 3.15 3.02 3.83 1/3056 79993 ProcSwaps: Filename TypeSizeUsedPriority /swap.img file 8388544 0 -1 ProcVersion: Linux version 4.4.0-72-generic (buildd@bos01-ppc64el-022) (gcc version 5.4.0 20160609 (Ubuntu/IBM 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP Fri Mar 31 14:05:15 UTC 2017 ProcVersionSignature: Ubuntu 4.4.0-72.93-generic 4.4.49 Syslog: Tags: xenial uec-images Uname: Linux 4.4.0-72-generic ppc64le UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: utah _MarkForUpload: True cpu_cores: Number of cores present = 20 cpu_coreson: Number of cores online = 20 cpu_smt: SMT is off --- ApportVersion: 2.20.1-0ubuntu2.5 Architecture: ppc64el DistroRelease: Ubuntu 16.04 NonfreeKernelModules: cfg80211 ebtable_broute ebtable_nat binfmt_misc veth nbd openvswitch vhost_net vhost macvtap macvlan xt_conntrack ipt_REJECT nf_reject_ipv4 ebtable_filter ebtables ip6t_MASQUERADE nf_nat_masquerade_ipv6 ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_filter ip6_tables xt_comment xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables zfs zunicode zcommon znvpair spl zavl kvm_hv kvm ipmi_powernv ipmi_msghandler uio_pdrv_genirq vmx_crypto powernv_rng ibmpowernv leds_powernv uio ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear ses enclosure mlx4_en vxlan ip6_udp_tunnel udp_tunnel mlx4_core ipr Package: lxd PackageArchitecture: ppc64el ProcEnviron: TERM=xterm PATH=(custom, no user) LANG=C.UTF-8 SHELL=/bin/bash ProcKernelCmdline: root=UUID=902eaad1-2164-4f9a-bec4
[Kernel-packages] [Bug 1684481] Re: KVM guest execution start apparmor blocks on /dev/ptmx now (regression?)
Hey Christian, thanks for the profiles, I haven't had a chance to dig into them yet, but after a quick first pass they look as expected. so very interesting. First up apparmor has always done mediation post symlink resolution, this is not new with stacking. What is new with stacking is we are now loading policy within the container and applying it. And it can and will expose several things done to setup the container. Specifically you now have 2 profiles being enforced, the lxd container profile (which was being enforced before), and now system profiles from within the container, so in this case the libvirt profile. The libvirt profile within the container should work the same as when used on the host modulo any container setup that leaks through. This is generally around mounts, and namespacing. The bind mount done in bug 1507959, will manifest it self in different ways than the symlink. Generally speaking bind mounts will act just like a file at the location they are bound (name resolution follows them, unlike symlink), but will require the mount rule to set them up. With LXD doing a bind mount to /dev/ptmx its odd that you are seeing it as a symlink. I am going to do some investigation, and see if I can't replicate. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1684481 Title: KVM guest execution start apparmor blocks on /dev/ptmx now (regression?) Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Status in lxd package in Ubuntu: New Bug description: Setup: - Xenial host - lxd guests with Trusty, Xenial, ... - add a LXD profile to allow kvm [3] (inspired by stgraber) - spawn KVM guests in the LXD guests using the different distro release versions - guests are based on the uvtool default template which has a serial console [4] Issue: - guest starting with serial device gets blocked by apparmor and killed on creation - This affects at least ppc64el and x86 (s390x has no serial concept that would match) - This appeared in our usual checks on -proposed releases so maybe we can/should stop something? Last good was "Apr 5, 2017 10:40:50 AM" first bad one "Apr 8, 2017 5:11:22 AM" Background: We use this setup for a while and it was working without a change on our end. Also the fact that it still works in the Trusty LXD makes it somewhat suspicious. Therefore I'd assume an SRUed change in LXD/Kernel/Apparmor might be the reason and open this bug to get your opinion on it. You can look into [1] and search for uvt-kvm create in it. Deny in dmesg: [652759.606218] audit: type=1400 audit(1492671353.134:4520): apparmor="DENIED" operation="open" namespace="root//lxd-testkvm-xenial-from_" profile="libvirt-668e21f1-fa55-4a30-b325-0ed5cfd55e5b" name="/dev/pts/ptmx" pid=27162 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Qemu-log: 2017-04-20T06:55:53.139450Z qemu-system-ppc64: -chardev pty,id=charserial0: Failed to create PTY: No such file or directory There was a similar issue on qmeu namespacing (which we don't use on any of these releases) [2]. While we surely don't have the "same" issue the debugging on the namespacing might be worth as it could be related. Workaround for now: - drop serial section from guest xml [1]: https://jenkins.ubuntu.com/server/view/Virt/job/virt-migration-cross-release-amd64/78/consoleFull [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1421036 [3]: https://git.launchpad.net/~ubuntu-server/ubuntu/+source/qemu-migration-test/tree/kvm_profile.yaml [4]: https://libvirt.org/formatdomain.html#elementsCharPTY --- ApportVersion: 2.20.1-0ubuntu2.5 Architecture: ppc64el DistroRelease: Ubuntu 16.04 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl Package: lxd PackageArchitecture: ppc64el ProcKernelCmdline: root=UUID=902eaad1-2164-4f9a-bec4-7ff3abc15804 ro console=hvc0 ProcLoadAvg: 3.15 3.02 3.83 1/3056 79993 ProcSwaps: Filename TypeSizeUsedPriority /swap.img file 8388544 0 -1 ProcVersion: Linux version 4.4.0-72-generic (buildd@bos01-ppc64el-022) (gcc version 5.4.0 20160609 (Ubuntu/IBM 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP Fri Mar 31 14:05:15 UTC 2017 ProcVersionSignature: Ubuntu 4.4.0-72.93-generic 4.4.49 Syslog: Tags: xenial uec-images Uname: Linux 4.4.0-72-generic ppc64le UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: utah _MarkForUpload: True cpu_cores: Number of cores present = 20 cpu_coreson: Number of cores online = 20 cpu_smt: SMT is off --- ApportVersion: 2.20.1-0ubuntu2.5 Architecture: ppc64el DistroRelease: Ubuntu 16.04 NonfreeKernelModules: cfg80211 ebtable_broute ebtable_nat binfmt_misc veth nbd openvswitch vhost_net vhost
[Kernel-packages] [Bug 1684481] Re: KVM guest execution start apparmor blocks on /dev/ptmx now (regression?)
Its true there are a few issues with apparmor profiles being loaded as part of a stack when namespacing is involved. However this does not appear to be one of them. However the application may be behaving slightly differently resulting in the profile needed to be extended. Can you please attach your libvirt profile files /etc/apparmor.d/libvirt/libvirt-668e21f1-fa55-4a30-b325-0ed5cfd55e5b /etc/apparmor.d/libvirt/libvirt-668e21f1-fa55-4a30-b325-0ed5cfd55e5b.files so I can verify their contents. The likely fix is going to be expanding the profile to include access to /dev/pts/ptmx rw, but I still need to verify something else isn't going on, and determine the best location to update. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1684481 Title: KVM guest execution start apparmor blocks on /dev/ptmx now (regression?) Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Status in lxd package in Ubuntu: Invalid Bug description: Setup: - Xenial host - lxd guests with Trusty, Xenial, ... - add a LXD profile to allow kvm [3] (inspired by stgraber) - spawn KVM guests in the LXD guests using the different distro release versions - guests are based on the uvtool default template which has a serial console [4] Issue: - guest starting with serial device gets blocked by apparmor and killed on creation - This affects at least ppc64el and x86 (s390x has no serial concept that would match) - This appeared in our usual checks on -proposed releases so maybe we can/should stop something? Last good was "Apr 5, 2017 10:40:50 AM" first bad one "Apr 8, 2017 5:11:22 AM" Background: We use this setup for a while and it was working without a change on our end. Also the fact that it still works in the Trusty LXD makes it somewhat suspicious. Therefore I'd assume an SRUed change in LXD/Kernel/Apparmor might be the reason and open this bug to get your opinion on it. You can look into [1] and search for uvt-kvm create in it. Deny in dmesg: [652759.606218] audit: type=1400 audit(1492671353.134:4520): apparmor="DENIED" operation="open" namespace="root//lxd-testkvm-xenial-from_" profile="libvirt-668e21f1-fa55-4a30-b325-0ed5cfd55e5b" name="/dev/pts/ptmx" pid=27162 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Qemu-log: 2017-04-20T06:55:53.139450Z qemu-system-ppc64: -chardev pty,id=charserial0: Failed to create PTY: No such file or directory There was a similar issue on qmeu namespacing (which we don't use on any of these releases) [2]. While we surely don't have the "same" issue the debugging on the namespacing might be worth as it could be related. Workaround for now: - drop serial section from guest xml [1]: https://jenkins.ubuntu.com/server/view/Virt/job/virt-migration-cross-release-amd64/78/consoleFull [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1421036 [3]: https://git.launchpad.net/~ubuntu-server/ubuntu/+source/qemu-migration-test/tree/kvm_profile.yaml [4]: https://libvirt.org/formatdomain.html#elementsCharPTY --- ApportVersion: 2.20.1-0ubuntu2.5 Architecture: ppc64el DistroRelease: Ubuntu 16.04 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl Package: lxd PackageArchitecture: ppc64el ProcKernelCmdline: root=UUID=902eaad1-2164-4f9a-bec4-7ff3abc15804 ro console=hvc0 ProcLoadAvg: 3.15 3.02 3.83 1/3056 79993 ProcSwaps: Filename TypeSizeUsedPriority /swap.img file 8388544 0 -1 ProcVersion: Linux version 4.4.0-72-generic (buildd@bos01-ppc64el-022) (gcc version 5.4.0 20160609 (Ubuntu/IBM 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP Fri Mar 31 14:05:15 UTC 2017 ProcVersionSignature: Ubuntu 4.4.0-72.93-generic 4.4.49 Syslog: Tags: xenial uec-images Uname: Linux 4.4.0-72-generic ppc64le UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: utah _MarkForUpload: True cpu_cores: Number of cores present = 20 cpu_coreson: Number of cores online = 20 cpu_smt: SMT is off --- ApportVersion: 2.20.1-0ubuntu2.5 Architecture: ppc64el DistroRelease: Ubuntu 16.04 NonfreeKernelModules: cfg80211 ebtable_broute ebtable_nat binfmt_misc veth nbd openvswitch vhost_net vhost macvtap macvlan xt_conntrack ipt_REJECT nf_reject_ipv4 ebtable_filter ebtables ip6t_MASQUERADE nf_nat_masquerade_ipv6 ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_filter ip6_tables xt_comment xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables zfs zunicode zcommon znvpair spl zavl kvm_hv kvm ipmi_powernv ipmi_msghandler uio_pdrv_genirq vmx_crypto powernv_rng ib
[Kernel-packages] [Bug 1678048] Re: apparmor: oops on boot if parameters set on grub command line
This is because boot params are processed before apparmor is fully initialized and policy_view_capable() will oops because the rootns is not setup. We should by-pass policy_view_capable() for params being set at boot. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1678048 Title: apparmor: oops on boot if parameters set on grub command line Status in linux package in Ubuntu: New Status in linux source package in Xenial: New Status in linux source package in Yakkety: New Status in linux source package in Zesty: New Bug description: When an apparmor parameter is set on the grub kernel line it results in an oops and failure to boot. eg. setting apparmor.audit=noquiet will cause the kernel to fail to boot. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1678048/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1678048] [NEW] apparmor: oops on boot if parameters set on grub command line
Public bug reported: When an apparmor parameter is set on the grub kernel line it results in an oops and failure to boot. eg. setting apparmor.audit=noquiet will cause the kernel to fail to boot. ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1678048 Title: apparmor: oops on boot if parameters set on grub command line Status in linux package in Ubuntu: New Status in linux source package in Xenial: New Status in linux source package in Yakkety: New Status in linux source package in Zesty: New Bug description: When an apparmor parameter is set on the grub kernel line it results in an oops and failure to boot. eg. setting apparmor.audit=noquiet will cause the kernel to fail to boot. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1678048/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1678030] [NEW] apparmor query interface does not make supported query info available
Public bug reported: The apparmor query interface does not make available information about what is currently supported. Add the base set of information for label queries through the apparmorfs features subtree. Note: this will be needed to support user space permission caching used by trusted helpers like dbus, gsetting proxy, apparmor xace, ... ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1678030 Title: apparmor query interface does not make supported query info available Status in linux package in Ubuntu: New Status in linux source package in Xenial: New Status in linux source package in Yakkety: New Status in linux source package in Zesty: New Bug description: The apparmor query interface does not make available information about what is currently supported. Add the base set of information for label queries through the apparmorfs features subtree. Note: this will be needed to support user space permission caching used by trusted helpers like dbus, gsetting proxy, apparmor xace, ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1678030/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1678032] [NEW] apparmor: does not provide a way to detect policy updataes
Public bug reported: User space trusted helpers have no way to detect when policy changes have been loaded into the kernel. This prevents the applications from being able to cache permission queries. Currently trusted helpers have not done caching (wish list feature), however the gsetting proxy requires userspace caching of permissions due to how gsettings proxy has to work. This means that policy loads result in stale gsettings policy to results in incorrect mediation. Add a revision file to the apparmorfs interface that allows detection of the current revision number for apparmor policy. This file can be read like a pipe, or used via poll, which is sufficient for the gsettings proxy detect changes and invalidate its cache. ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1678032 Title: apparmor: does not provide a way to detect policy updataes Status in linux package in Ubuntu: New Status in linux source package in Xenial: New Status in linux source package in Yakkety: New Status in linux source package in Zesty: New Bug description: User space trusted helpers have no way to detect when policy changes have been loaded into the kernel. This prevents the applications from being able to cache permission queries. Currently trusted helpers have not done caching (wish list feature), however the gsetting proxy requires userspace caching of permissions due to how gsettings proxy has to work. This means that policy loads result in stale gsettings policy to results in incorrect mediation. Add a revision file to the apparmorfs interface that allows detection of the current revision number for apparmor policy. This file can be read like a pipe, or used via poll, which is sufficient for the gsettings proxy detect changes and invalidate its cache. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1678032/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1678023] [NEW] apparmor does not make support of query data visible
Public bug reported: gsettings mediation needs to be able to determine if apparmor supports label data queries. A label data query can be done to test for support but its failure is indistinguishable from other failures, making it an unreliable indicator. Fix by making support of label data queries available as a flag in the apparmorfs features dir tree. ** Affects: linux (Ubuntu) Importance: Undecided Status: Incomplete ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: Incomplete ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: Incomplete ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: Incomplete ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1678023 Title: apparmor does not make support of query data visible Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Incomplete Status in linux source package in Yakkety: Incomplete Status in linux source package in Zesty: Incomplete Bug description: gsettings mediation needs to be able to determine if apparmor supports label data queries. A label data query can be done to test for support but its failure is indistinguishable from other failures, making it an unreliable indicator. Fix by making support of label data queries available as a flag in the apparmorfs features dir tree. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1678023/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1677959] [NEW] change_profile incorrect when using namespaces with a compound stack
Public bug reported: When a compound label is used as part of a target namespace the change profile will result in a bad change a task confined by profile lxd doing change_profile(&:ns://foo//&unconfined) results in a change_profile to :ns://foo and unconfined causing the local system profile to change instead of setting up a stack in the sub namespace ie. unconfined//&:ns://foo instead of the expected lxd//&:ns://foo//&:ns://unconfined https://github.com/lxc/lxd/issues/2981 ** Affects: apparmor Importance: Undecided Status: New ** Affects: linux (Ubuntu) Importance: Undecided Status: Incomplete ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: Incomplete ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: Incomplete ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: Incomplete ** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1677959 Title: change_profile incorrect when using namespaces with a compound stack Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Incomplete Status in linux source package in Yakkety: Incomplete Status in linux source package in Zesty: Incomplete Bug description: When a compound label is used as part of a target namespace the change profile will result in a bad change a task confined by profile lxd doing change_profile(&:ns://foo//&unconfined) results in a change_profile to :ns://foo and unconfined causing the local system profile to change instead of setting up a stack in the sub namespace ie. unconfined//&:ns://foo instead of the expected lxd//&:ns://foo//&:ns://unconfined https://github.com/lxc/lxd/issues/2981 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1677959/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658219] Re: flock not mediated by 'k'
Note: this bug affects more than just lock mediation permissions. It at
a minimum can also affect the mmap executable (m) permission.
Further work is required to resubmit this fix
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1658219
Title:
flock not mediated by 'k'
Status in AppArmor:
In Progress
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Triaged
Status in linux source package in Yakkety:
Triaged
Bug description:
$ cat ./apparmor.profile
#include
profile test {
#include
/bin/bash ixr,
/dev/pts/* rw,
/usr/bin/flock ixr,
# Not blocked:
# aa-exec -p test -- flock -w 1 /tmp/test.lock -c true
/tmp/test.lock rw,
}
$ sudo apparmor_parser -r ./apparmor.profile
$ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes
yes
$ ls -l /tmp/test.lock
-rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock
The flock command uses flock(LOCK_EX) and I expected it to be blocked
due to the lack of 'k'.
apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic
kernel on amd64.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"
The entire apparmor patch series was reverted regardless of whether the patch had any link to a regression, or security fix. The majority of the patches will be reapplied and go through the SRU cycle again. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1648143 Title: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor" Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Fix Released Status in tor package in Ubuntu: Invalid Status in apparmor source package in Xenial: New Status in linux source package in Xenial: Triaged Status in tor source package in Xenial: Invalid Status in apparmor source package in Yakkety: New Status in linux source package in Yakkety: Triaged Status in tor source package in Yakkety: Invalid Bug description: Environment: Distribution: ubuntu Distribution version: 16.10 lxc info: apiextensions: storage_zfs_remove_snapshots container_host_shutdown_timeout container_syscall_filtering auth_pki container_last_used_at etag patch usb_devices https_allowed_credentials image_compression_algorithm directory_manipulation container_cpu_time storage_zfs_use_refquota storage_lvm_mount_options network profile_usedby container_push apistatus: stable apiversion: "1.0" auth: trusted environment: addresses: 163.172.48.149:8443 172.20.10.1:8443 172.20.11.1:8443 172.20.12.1:8443 172.20.22.1:8443 172.20.21.1:8443 10.8.0.1:8443 architectures: x86_64 i686 certificate: | -BEGIN CERTIFICATE- -END CERTIFICATE- certificatefingerprint: 3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b driver: lxc driverversion: 2.0.5 kernel: Linux kernelarchitecture: x86_64 kernelversion: 4.8.0-27-generic server: lxd serverpid: 32694 serverversion: 2.4.1 storage: btrfs storageversion: 4.7.3 config: core.https_address: '[::]:8443' core.trust_password: true Container: ubuntu 16.10 Issue description -- tor can't start in a non privileged container Logs from the container: - Dec 7 15:03:00 anonymous tor[302]: Configuration was valid Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed state. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 'exit-code'. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off time over, scheduling restart. Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset devices.list: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted] Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/chr Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/blk Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Logs from the host audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor" pid=12164 comm="(tor)" Steps to reproduce - install ubuntu container 16.10 on a ubuntu 16.10 host install tor in the container Launch tor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1638996] Re: apparmor's raw_data file in securityfs is sometimes truncated
** Tags removed: verification-needed-xenial verification-needed-yakkety ** Tags added: verification-done-xenial verification-done-yakkety -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1638996 Title: apparmor's raw_data file in securityfs is sometimes truncated Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Bug description: Hi, It looks like sometimes apparmor's securityfs output is sometimes truncated, root@zesty:/sys/kernel/security/apparmor/policy/namespaces/lxd-zest_/profiles/usr.lib.snapd.snap-confine.1# ls -al total 0 drwxr-xr-x 3 root root 0 Nov 3 16:45 . drwxr-xr-x 13 root root 0 Nov 3 16:44 .. -r--r--r-- 1 root root 0 Nov 3 16:45 attach -r--r--r-- 1 root root 0 Nov 3 16:45 mode -r--r--r-- 1 root root 0 Nov 3 16:45 name drwxr-xr-x 3 root root 0 Nov 3 16:45 profiles -r--r--r-- 1 root root 0 Nov 3 16:45 raw_abi -r--r--r-- 1 root root 46234 Nov 3 16:45 raw_data -r--r--r-- 1 root root 0 Nov 3 16:45 raw_hash -r--r--r-- 1 root root 0 Nov 3 16:45 sha1 root@zesty:/sys/kernel/security/apparmor/policy/namespaces/lxd-zest_/profiles/usr.lib.snapd.snap-confine.1# cat raw_data > /tmp/out root@zesty:/sys/kernel/security/apparmor/policy/namespaces/lxd-zest_/profiles/usr.lib.snapd.snap-confine.1# ls -al /tmp/out -rw-r--r-- 1 root root 4009 Nov 3 16:55 /tmp/out and 2016-11-03 10:58:01 tych0 jjohansen: hi, http://paste.ubuntu.com/23421551/ 2016-11-03 10:58:18 tych0 it looks like fstat is lying to me about the size of the policy 2016-11-03 10:59:20 @jjohansen tych0: hrmm interesting, can you zip up the /tmp/out file so I can see it looks like a complete policy file? 2016-11-03 11:00:03 @jjohansen something is definitely not right there. hrmmm 2016-11-03 11:00:26 @jjohansen the size is set by the input buffer size 2016-11-03 11:00:28 tych0 jjohansen: http://files.tycho.ws/tmp/out 2016-11-03 11:00:36 tych0 yeah, i assume 2016-11-03 11:01:15 @jjohansen my guess is something is messing up in the seq_file walk of the policy 2016-11-03 11:02:38 @jjohansen tych0: yep the file is truncated, can you open a bug and I will start looking for it 2016-11-03 11:03:14 tych0 jjohansen: sure, just on linux? 2016-11-03 11:03:35 @jjohansen tych0: yeah for now, just linux 2016-11-03 11:03:43 @jjohansen we can add others if needed later 2016-11-03 11:03:44 tych0 jjohansen: FWIW, somehow it seems racy, becasue sometimes it works and sometimes it doesn't To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1638996/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660832] Re: unix domain socket cross permission check failing with nested namespaces
** Tags removed: verification-needed-yakkety ** Tags added: verification-done-yakkety -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660832 Title: unix domain socket cross permission check failing with nested namespaces Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Fix Released Status in apparmor source package in Xenial: Confirmed Status in linux source package in Xenial: Fix Released Status in apparmor source package in Yakkety: Confirmed Status in linux source package in Yakkety: Fix Released Status in apparmor source package in Zesty: Confirmed Status in linux source package in Zesty: Fix Released Bug description: When using nested namespaces policy within the nested namespace is trying to cross validate with policy outside of the namespace that is not visible to it. This results the access being denied and with no way to add a rule to policy that would allow it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1660832/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660834] Re: apparmor label leak when new label is unused
** Tags removed: verification-needed-xenial verification-needed-yakkety ** Tags added: verification-done-xenial verification-done-yakkety -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660834 Title: apparmor label leak when new label is unused Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Status in linux source package in Zesty: Fix Released Bug description: When a new label is created, it is created with a proxy in a circular ref count that is broken by replacement. However if the label is not used it will never be replaced and the circular ref count will never be broken resulting in a leak. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660834/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660833] Re: apparmor reference count bug in label_merge_insert()
** Tags removed: verification-needed-xenial verification-needed-yakkety ** Tags added: verification-done-xenial verification-done-yakkety -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660833 Title: apparmor reference count bug in label_merge_insert() Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Status in linux source package in Zesty: Fix Released Bug description: @new does not have a reference taken locally and should not have its reference put locally either. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660833/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660836] Re: apparmor auditing denied access of special apparmor .null fi\ le
** Tags removed: verification-needed-xenial verification-needed-yakkety ** Tags added: verification-done-xenial verification-done-yakkety -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660836 Title: apparmor auditing denied access of special apparmor .null fi\ le Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Status in linux source package in Zesty: Fix Released Bug description: When an fd is disallowed from being inherited during exec, instead of closed it is duped to a special apparmor/.null file. This prevents the fd from being reused by another file in case the application expects the original file on a give fd (eg stdin/stdout etc). This results in a denial message like [32375.561535] audit: type=1400 audit(1478825963.441:358): apparmor="DENIED" op\ eration="file_inherit" namespace="root//lxd-t_" profile="/sbin/dhc\ lient" name="/dev/pts/1" pid=16795 comm="dhclient" requested_mask="wr" denied_m\ ask="wr" fsuid=165536 ouid=165536 Further access to the fd is resultin in the rather useless denial message of [32375.566820] audit: type=1400 audit(1478825963.445:359): apparmor="DENIED" op\ eration="file_perm" namespace="root//lxd-t_" profile="/sbin/dhclie\ nt" name="/apparmor/.null" pid=16795 comm="dhclient" requested_mask="w" denied_\ mask="w" fsuid=165536 ouid=0 since we have the original denial, the noisy and useless .null based denials can be skipped. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660836/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660840] Re: apparmor oops in bind_mnt when dev_path lookup fails
** Tags removed: verification-needed-xenial verification-needed-yakkety ** Tags added: verification-done-xenial verification-done-yakkety -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660840 Title: apparmor oops in bind_mnt when dev_path lookup fails Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Status in linux source package in Zesty: Fix Released Bug description: Bind mounts can oops when devname lookup fails because the devname is unintialized and used in auditing the denial. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660840/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"
Please describe the failure, including the logs so I can analyze. Just because the container fails to start does not mean that the fix is bad. There can be other issues that result in the failure. Specifically this bug is for the denial message seen in comment #5 and not the denied messages (unlink) in comment #9, which are a separate issue. It appears to be working for me, with yakkety and zesty -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1648143 Title: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor" Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Confirmed Status in tor package in Ubuntu: New Status in apparmor source package in Xenial: New Status in linux source package in Xenial: Fix Released Status in tor source package in Xenial: New Status in apparmor source package in Yakkety: New Status in linux source package in Yakkety: Confirmed Status in tor source package in Yakkety: New Bug description: Environment: Distribution: ubuntu Distribution version: 16.10 lxc info: apiextensions: storage_zfs_remove_snapshots container_host_shutdown_timeout container_syscall_filtering auth_pki container_last_used_at etag patch usb_devices https_allowed_credentials image_compression_algorithm directory_manipulation container_cpu_time storage_zfs_use_refquota storage_lvm_mount_options network profile_usedby container_push apistatus: stable apiversion: "1.0" auth: trusted environment: addresses: 163.172.48.149:8443 172.20.10.1:8443 172.20.11.1:8443 172.20.12.1:8443 172.20.22.1:8443 172.20.21.1:8443 10.8.0.1:8443 architectures: x86_64 i686 certificate: | -BEGIN CERTIFICATE- -END CERTIFICATE- certificatefingerprint: 3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b driver: lxc driverversion: 2.0.5 kernel: Linux kernelarchitecture: x86_64 kernelversion: 4.8.0-27-generic server: lxd serverpid: 32694 serverversion: 2.4.1 storage: btrfs storageversion: 4.7.3 config: core.https_address: '[::]:8443' core.trust_password: true Container: ubuntu 16.10 Issue description -- tor can't start in a non privileged container Logs from the container: - Dec 7 15:03:00 anonymous tor[302]: Configuration was valid Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed state. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 'exit-code'. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off time over, scheduling restart. Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset devices.list: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted] Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/chr Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/blk Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Logs from the host audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor" pid=12164 comm="(tor)" Steps to reproduce - install ubuntu container 16.10 on a ubuntu 16.10 host install tor in the container Launch tor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions -- Mailing list: https://launchp
[Kernel-packages] [Bug 1660849] Re: apparmor refcount leak of profile namespace when removing profiles
** Tags removed: verification-needed-xenial verification-needed-yakkety ** Tags added: verification-done-xenial verification-done-yakkety -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660849 Title: apparmor refcount leak of profile namespace when removing profiles Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Status in linux source package in Zesty: Fix Released Bug description: When doing profile removal, the parent ns of the profiles is taken, but the reference isn't being put, resulting in the ns never being freed even after it is removed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660849/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1656121] Re: unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt from a unshared mount namespace
** Tags removed: verification-needed-xenial verification-needed-yakkety
** Tags added: verification-done-xenial verification-done-yakkety
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1656121
Title:
unexpected errno=13 and disconnected path when trying to open
/proc/1/ns/mnt from a unshared mount namespace
Status in AppArmor:
Confirmed
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Released
Bug description:
This bug is based on a discussion with jjohansen on IRC.
While working on a feature for snapd
(https://github.com/snapcore/snapd/pull/2624) we came across an
unexpected EACCES that only seems to happen when apparmor is in the
loop.
The kernel log shows something interesting. The full log is available
here: http://paste.ubuntu.com/23789099/
Jan 12 23:16:43 autopkgtest kernel: [ 498.616822] audit: type=1400
audit(1484259403.009:67): apparmor="ALLOWED" operation="open"
info="Failed name lookup - disconnected path" error=-13 profile="snap
.test-snapd-tools.cmd//null-/usr/bin/snap//null-/usr/lib/snapd/snap-
confine" name="" pid=25299 comm="snap-confine" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
The code that triggers this is reproduced below (also visible here
https://github.com/snapcore/snapd/pull/2624/files)
+void sc_reassociate_with_pid1_mount_ns()
+{
+int init_mnt_fd __attribute__ ((cleanup(sc_cleanup_close))) = -1;
+int self_mnt_fd __attribute__ ((cleanup(sc_cleanup_close))) = -1;
+
+debug("checking if the current process shares mount namespace"
+ "with the init process");
+
+init_mnt_fd = open("/proc/1/ns/mnt",
+ O_RDONLY | O_CLOEXEC | O_NOFOLLOW | O_PATH);
+if (init_mnt_fd < 0) {
+die("cannot open mount namespace of the init process (O_PATH)");
+}
+self_mnt_fd = open("/proc/self/ns/mnt",
+ O_RDONLY | O_CLOEXEC | O_NOFOLLOW | O_PATH);
+if (self_mnt_fd < 0) {
+die("cannot open mount namespace of the current process
(O_PATH)");
+}
+char init_buf[128], self_buf[128];
+memset(init_buf, 0, sizeof init_buf);
+if (readlinkat(init_mnt_fd, "", init_buf, sizeof init_buf) < 0) {
+die("cannot perform readlinkat() on the mount namespace file "
+"descriptor of the init process");
+}
+memset(self_buf, 0, sizeof self_buf);
+if (readlinkat(self_mnt_fd, "", self_buf, sizeof self_buf) < 0) {
+die("cannot perform readlinkat() on the mount namespace file "
+"descriptor of the current process");
+}
+if (memcmp(init_buf, self_buf, sizeof init_buf) != 0) {
+debug("the current process does not share mount namespace with "
+ "the init process, re-association required");
+// NOTE: we cannot use O_NOFOLLOW here because that file will
always be a
+// symbolic link. We actually want to open it this way.
+int init_mnt_fd_real
+__attribute__ ((cleanup(sc_cleanup_close))) = -1;
+init_mnt_fd_real = open("/proc/1/ns/mnt", O_RDONLY | O_CLOEXEC);
+if (init_mnt_fd_real < 0) {
+die("cannot open mount namespace of the init process");
+}
+if (setns(init_mnt_fd_real, CLONE_NEWNS) < 0) {
+die("cannot re-associate the mount namespace with the
init process");
+}
+} else {
+debug("re-associating is not required");
+}
+}
The specific part that causes the error is:
+ init_mnt_fd_real = open("/proc/1/ns/mnt", O_RDONLY |
O_CLOEXEC);
The call to open returns -1 and errno set to 13 (EACCES) despite using
attach_disconnected.
The code in question is executed from a seguid root executable that
runs under a complain-mode profile (it is started from a process that
is already confined with such a profile). All of the profiles are
using attach_disconnected.
I can reproduce this issue each time by running:
spread -debug -v qemu:ubuntu-16.04-64:tests/regression/lp-1644439
Against the code in this pull request:
https://github.com/snapcore/snapd/pull/2624
Which is git://github.com/zyga/snapd in the "reassociate-fix" branch
Appropriate qemu images can be made using instructions from:
https://github.com/zyga/spread-qemu-images
I'm also happy to try any test kernels as I can easily run those.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1656121/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
[Kernel-packages] [Bug 1664912] Re: linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial 4.4.0-63.84~14.04.2
** Tags removed: verification-needed-xenial verification-needed-yakkety ** Tags added: verification-done-xenial verification-done-yakkety -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1664912 Title: linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts- xenial 4.4.0-63.84~14.04.2 Status in linux package in Ubuntu: Fix Released Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux source package in Trusty: Invalid Status in linux-lts-xenial source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Released Status in linux-lts-xenial source package in Xenial: Invalid Status in linux source package in Yakkety: Fix Released Status in linux-lts-xenial source package in Yakkety: Invalid Status in linux source package in Zesty: Fix Released Status in linux-lts-xenial source package in Zesty: Invalid Bug description: Testing failed on: amd64: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-trusty/trusty/amd64/l/linux-lts-xenial/20170214_051856_a19a2@/log.gz To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1664912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1669611] Re: Regression in 4.4.0-65-generic causes very frequent system crashes
The issue appears to be refcount related, I am still chasing this one down but for this release we should revert UBUNTU: SAUCE: apparmor: fix lock ordering for mkdir UBUNTU: SAUCE: apparmor: fix leak on securityfs pin count UBUNTU: SAUCE: apparmor: fix reference count leak when securityfs_setup_d_inode() fails UBUNTU: SAUCE: apparmor: fix not handling error case when securityfs_pin_fs() fails a kernel with these patches reverted has been tested and it fixes the issue -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1669611 Title: Regression in 4.4.0-65-generic causes very frequent system crashes Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Triaged Bug description: After upgrading to 4.4.0-65-generic all of our Jenkins test runners are dying every 10 minutes or so. They don't answer on the network, on the console or through serial console. The kernel backtraces we got are: ``` buildd04 login: [ 1443.707658] BUG: unable to handle kernel paging request at 2d5e501d [ 1443.707969] IP: [] mntget+0xf/0x20 [ 1443.708086] *pdpt = 24056001 *pde = [ 1443.708237] Oops: 0002 [#1] SMP [ 1443.708325] Modules linked in: ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 ip6t_MASQUERADE nf_nat_masquerade_ipv6 ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_filter ip6_tables xt_comment veth ebtable_filter ebtables dm_snapshot dm_thin_pool dm_persistent_data dm_bio_prison dm_bufio libcrc32c binfmt_misc xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_tcpudp iptable_filter ip_tables x_tables zram lz4_compress bridge stp llc kvm_intel ppdev kvm irqbypass crc32_pclmul aesni_intel aes_i586 xts lrw gf128mul ablk_helper cryptd joydev input_leds serio_raw parport_pc 8250_fintek i2c_piix4 mac_hid lp parport autofs4 btrfs xor raid6_pq psmouse virtio_scsi pata_acpi floppy [ 1443.710365] CPU: 1 PID: 14167 Comm: apparmor_parser Not tainted 4.4.0-65-generic #86-Ubuntu [ 1443.710505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 1443.710651] task: f5920a00 ti: e63f2000 task.ti: e63f2000 [ 1443.710776] EIP: 0060:[] EFLAGS: 00010286 CPU: 1 [ 1443.710875] EIP is at mntget+0xf/0x20 [ 1443.710946] EAX: f57e4d90 EBX: ECX: c1d333cc EDX: 0002801d [ 1443.711088] ESI: c1d36404 EDI: c1d36408 EBP: e63f3de8 ESP: e63f3de8 [ 1443.711228] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 1443.711334] CR0: 80050033 CR2: 2d5e501d CR3: 35072440 CR4: 001406f0 [ 1443.711471] Stack: [ 1443.711593] e63f3e04 c1203752 c13b7f71 c1d333cc eebb5980 e59d71e0 41ed e63f3e30 [ 1443.711822] c130546b e59d7230 1a628dcf 0003 e63f3e58 6c0a010a e53b6800 [ 1443.712044] 00de eebb5980 e63f3e44 c13055be e63f3e6c [ 1443.712264] Call Trace: [ 1443.712314] [] simple_pin_fs+0x32/0xa0 [ 1443.712421] [] ? vsnprintf+0x321/0x420 [ 1443.712516] [] securityfs_create_dentry+0x5b/0x150 [ 1443.712632] [] securityfs_create_dir+0x2e/0x30 [ 1443.712729] [] __aa_fs_profile_mkdir+0x46/0x3c0 [ 1443.712826] [] aa_replace_profiles+0x4c0/0xbc0 [ 1443.712927] [] ? ns_capable_common+0x55/0x80 [ 1443.713022] [] policy_update+0x97/0x230 [ 1443.713122] [] ? security_file_permission+0x39/0xc0 [ 1443.713247] [] profile_replace+0x98/0xe0 [ 1443.713346] [] ? policy_update+0x230/0x230 [ 1443.713445] [] __vfs_write+0x1f/0x50 [ 1443.713535] [] vfs_write+0x8c/0x1b0 [ 1443.713633] [] SyS_write+0x51/0xb0 [ 1443.713738] [] do_fast_syscall_32+0x8d/0x150 [ 1443.713838] [] sysenter_past_esp+0x3d/0x61 [ 1443.713938] Code: c0 74 09 83 42 10 01 89 d0 5b 5d c3 3b 5b 10 b8 fe ff ff ff 75 e3 eb eb 8d 74 26 00 55 89 e5 3e 8d 74 26 00 85 c0 74 06 8b 50 14 <64> ff 02 5d c3 8d b6 00 00 00 00 8d bf 00 00 00 00 55 89 e5 3e [ 1443.715713] EIP: [] mntget+0xf/0x20 SS:ESP 0068:e63f3de8 [ 1443.715852] CR2: 2d5e501d ``` ``` buildd07 login: [ 1262.522071] BUG: unable to handle kernel NULL pointer dereference at 0008 [ 1262.522339] IP: [] mntput_no_expire+0x68/0x180 [ 1262.522464] PGD 439912067 PUD 43997f067 PMD 0 [ 1262.522556] Oops: 0002 [#1] SMP [ 1262.522760] Modules linked in: ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 ip6t_MASQUERADE nf_nat_masquerade_ipv6 ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_filter ip6_tables xt_comment veth ebtable_filter ebtables dm_snapshot dm_thin_pool dm_persistent_data dm_bio_prison dm_bufio libcrc32c binfmt_misc xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc zram lz4_comp
[Kernel-packages] [Bug 1664912] Re: linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial 4.4.0-63.84~14.04.2
A patch has been submitted to the kernel-t...@lists.ubuntu.com mail list ** Changed in: linux (Ubuntu Xenial) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Zesty) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1664912 Title: linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts- xenial 4.4.0-63.84~14.04.2 Status in linux package in Ubuntu: In Progress Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux source package in Trusty: Invalid Status in linux-lts-xenial source package in Trusty: Confirmed Status in linux source package in Xenial: In Progress Status in linux-lts-xenial source package in Xenial: Invalid Status in linux source package in Yakkety: In Progress Status in linux-lts-xenial source package in Yakkety: Invalid Status in linux source package in Zesty: In Progress Status in linux-lts-xenial source package in Zesty: Invalid Bug description: Testing failed on: amd64: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-trusty/trusty/amd64/l/linux-lts-xenial/20170214_051856_a19a2@/log.gz To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1664912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1664912] Re: linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial 4.4.0-63.84~14.04.2
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux-lts-xenial (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux-lts-xenial (Ubuntu Zesty) Importance: High Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux-lts-xenial (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: linux-lts-xenial (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-lts-xenial (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-lts-xenial (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-lts-xenial (Ubuntu Zesty) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1664912 Title: linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts- xenial 4.4.0-63.84~14.04.2 Status in linux package in Ubuntu: Incomplete Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux source package in Trusty: Invalid Status in linux-lts-xenial source package in Trusty: New Status in linux source package in Xenial: Incomplete Status in linux-lts-xenial source package in Xenial: Invalid Status in linux source package in Yakkety: Incomplete Status in linux-lts-xenial source package in Yakkety: Invalid Status in linux source package in Zesty: Incomplete Status in linux-lts-xenial source package in Zesty: Invalid Bug description: Testing failed on: amd64: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-trusty/trusty/amd64/l/linux-lts-xenial/20170214_051856_a19a2@/log.gz To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1664912/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660833] Re: apparmor reference count bug in label_merge_insert()
** Changed in: linux (Ubuntu Xenial) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Zesty) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660833 Title: apparmor reference count bug in label_merge_insert() Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Status in linux source package in Yakkety: In Progress Status in linux source package in Zesty: In Progress Bug description: @new does not have a reference taken locally and should not have its reference put locally either. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660833/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660840] Re: apparmor oops in bind_mnt when dev_path lookup fails
** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: Incomplete ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Zesty) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Yakkety) Status: New => In Progress ** Changed in: linux (Ubuntu Xenial) Status: New => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660840 Title: apparmor oops in bind_mnt when dev_path lookup fails Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Status in linux source package in Yakkety: In Progress Status in linux source package in Zesty: In Progress Bug description: Bind mounts can oops when devname lookup fails because the devname is unintialized and used in auditing the denial. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660840/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660846] Re: apparmor leaking securityfs pin count
** Changed in: linux (Ubuntu Xenial) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Zesty) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660846 Title: apparmor leaking securityfs pin count Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Status in linux source package in Yakkety: In Progress Status in linux source package in Zesty: In Progress Bug description: apparmor is leaking pinfs refcoutn when inode setup fails. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660846/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660834] Re: apparmor label leak when new label is unused
** Changed in: linux (Ubuntu Xenial) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Zesty) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660834 Title: apparmor label leak when new label is unused Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Status in linux source package in Yakkety: In Progress Status in linux source package in Zesty: In Progress Bug description: When a new label is created, it is created with a proxy in a circular ref count that is broken by replacement. However if the label is not used it will never be replaced and the circular ref count will never be broken resulting in a leak. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660834/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660836] Re: apparmor auditing denied access of special apparmor .null fi\ le
** Changed in: linux (Ubuntu Xenial) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Zesty) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660836 Title: apparmor auditing denied access of special apparmor .null fi\ le Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Status in linux source package in Yakkety: In Progress Status in linux source package in Zesty: In Progress Bug description: When an fd is disallowed from being inherited during exec, instead of closed it is duped to a special apparmor/.null file. This prevents the fd from being reused by another file in case the application expects the original file on a give fd (eg stdin/stdout etc). This results in a denial message like [32375.561535] audit: type=1400 audit(1478825963.441:358): apparmor="DENIED" op\ eration="file_inherit" namespace="root//lxd-t_" profile="/sbin/dhc\ lient" name="/dev/pts/1" pid=16795 comm="dhclient" requested_mask="wr" denied_m\ ask="wr" fsuid=165536 ouid=165536 Further access to the fd is resultin in the rather useless denial message of [32375.566820] audit: type=1400 audit(1478825963.445:359): apparmor="DENIED" op\ eration="file_perm" namespace="root//lxd-t_" profile="/sbin/dhclie\ nt" name="/apparmor/.null" pid=16795 comm="dhclient" requested_mask="w" denied_\ mask="w" fsuid=165536 ouid=0 since we have the original denial, the noisy and useless .null based denials can be skipped. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660836/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails
** Changed in: linux (Ubuntu Xenial) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Zesty) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660842 Title: apparmor not checking error if security_pin_fs() fails Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Status in linux source package in Yakkety: In Progress Status in linux source package in Zesty: In Progress Bug description: The error condition of security_pin_fs() was not being checked which will result can result in an oops or use after free, due to the fs pin count not being incremented. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660842/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660845] Re: apparmor reference count leak when securityfs_setup_d_inode\ () fails
** Changed in: linux (Ubuntu Xenial) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Zesty) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660845 Title: apparmor reference count leak when securityfs_setup_d_inode\ () fails Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Status in linux source package in Yakkety: In Progress Status in linux source package in Zesty: In Progress Bug description: apparmor is leaking the parent ns ref count, by directly returning the error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660845/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660849] Re: apparmor refcount leak of profile namespace when removing profiles
** Changed in: linux (Ubuntu Xenial) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Zesty) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660849 Title: apparmor refcount leak of profile namespace when removing profiles Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Status in linux source package in Yakkety: In Progress Status in linux source package in Zesty: In Progress Bug description: When doing profile removal, the parent ns of the profiles is taken, but the reference isn't being put, resulting in the ns never being freed even after it is removed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660849/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658625] Re: linux i386 ADT apparmor self-tests OOM machine with linux-4.9.0-12.13
I have sent pull requests to the kt mailing list with that include the current ref count leak fixes. This set however does not fix all the leaks and I am still working on nailing them down when I can. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658625 Title: linux i386 ADT apparmor self-tests OOM machine with linux-4.9.0-12.13 Status in linux package in Ubuntu: In Progress Bug description: Seems we are getting into an OOM situation when running ADT testing. This looks to be in the apparmor tests: 09:57:14 ERROR| [stderr] Run kernel regression tests from 14.04's apparmor_2.8.95~2430-0ubuntu5.3 ... ok 09:57:14 ERROR| [stderr] test_parser_testsuite (__main__.ApparmorTestsuites) 09:57:20 DEBUG| [stdout] (skipped: This test is only for 14.04 systems with the apparmor 2.10.95 SRU or newer installed) (skipped: This test is only for 14.04 systems with the apparmor 2.10.95 SRU or newer installed) 10:15:45 ERROR| [stderr] Run parser regression tests ... ok 10:15:46 ERROR| [stderr] test_regression_testsuite (__main__.ApparmorTestsuites) 10:15:48 DEBUG| [stdout] preparing apparmor_2.10.95-4ubuntu5.2.dsc... done 10:15:48 DEBUG| [stdout] Killed Console: autopkgtest login: [ 2838.328079] AppArmor: change_hat: Invalid input '^open'[ 2838.334310] AppArmor: change_hat: Invalid input '^' [ 2838.341460] AppArmor: change_hat: Invalid input, NULL hat and NULL magic[ 2838.349735] AppArmor: change_hat: Invalid input, NULL hat and NULL magic[ 2838.357374] AppArmor: change_hat: Invalid input '^open' AppArmor: change_hat: Invalid input '^'[ 2838.359310] AppArmor: change_hat: Invalid input '^' [ 2955.837326] Out of memory: Kill process 1554 (rsyslogd) score 6 or sacrifice child [ 2955.840293] Killed process 1554 (rsyslogd) total-vm:91072kB, anon-rss:52204kB, file-rss:2356kB, shmem-rss:0kB [ 3012.314564] Out of memory: Kill process 13148 (autotest-local) score 1 or sacrifice child [ 3012.315622] Killed process 24345 (autotest-local) total-vm:18040kB, anon-rss:7280kB, file-rss:3544kB, shmem-rss:0kB To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658625/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660832] Re: unix domain socket cross permission check failing with nested namespaces
** Changed in: linux (Ubuntu Xenial) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Zesty) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660832 Title: unix domain socket cross permission check failing with nested namespaces Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: In Progress Status in apparmor source package in Xenial: New Status in linux source package in Xenial: In Progress Status in apparmor source package in Yakkety: New Status in linux source package in Yakkety: In Progress Status in apparmor source package in Zesty: New Status in linux source package in Zesty: In Progress Bug description: When using nested namespaces policy within the nested namespace is trying to cross validate with policy outside of the namespace that is not visible to it. This results the access being denied and with no way to add a rule to policy that would allow it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1660832/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660849] [NEW] apparmor refcount leak of profile namespace when removing profiles
Public bug reported: When doing profile removal, the parent ns of the profiles is taken, but the reference isn't being put, resulting in the ns never being freed even after it is removed. ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660849 Title: apparmor refcount leak of profile namespace when removing profiles Status in linux package in Ubuntu: New Status in linux source package in Xenial: New Status in linux source package in Yakkety: New Status in linux source package in Zesty: New Bug description: When doing profile removal, the parent ns of the profiles is taken, but the reference isn't being put, resulting in the ns never being freed even after it is removed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660849/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660845] [NEW] apparmor reference count leak when securityfs_setup_d_inode\ () fails
Public bug reported: apparmor is leaking the parent ns ref count, by directly returning the error ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660845 Title: apparmor reference count leak when securityfs_setup_d_inode\ () fails Status in linux package in Ubuntu: New Status in linux source package in Xenial: New Status in linux source package in Yakkety: New Status in linux source package in Zesty: New Bug description: apparmor is leaking the parent ns ref count, by directly returning the error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660845/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660846] [NEW] apparmor leaking securityfs pin count
Public bug reported: apparmor is leaking pinfs refcoutn when inode setup fails. ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660846 Title: apparmor leaking securityfs pin count Status in linux package in Ubuntu: New Status in linux source package in Xenial: New Status in linux source package in Yakkety: New Status in linux source package in Zesty: New Bug description: apparmor is leaking pinfs refcoutn when inode setup fails. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660846/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660842] [NEW] apparmor not checking error if security_pin_fs() fails
Public bug reported: The error condition of security_pin_fs() was not being checked which will result can result in an oops or use after free, due to the fs pin count not being incremented. ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660842 Title: apparmor not checking error if security_pin_fs() fails Status in linux package in Ubuntu: New Status in linux source package in Xenial: New Status in linux source package in Yakkety: New Status in linux source package in Zesty: New Bug description: The error condition of security_pin_fs() was not being checked which will result can result in an oops or use after free, due to the fs pin count not being incremented. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660842/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1634753] Re: srcname from mount rule corrupted under load
** Changed in: apparmor
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1634753
Title:
srcname from mount rule corrupted under load
Status in AppArmor:
Invalid
Status in linux package in Ubuntu:
Triaged
Status in linux source package in Precise:
Invalid
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Invalid
Bug description:
This came up in snapd spread tests but can be reproduced with:
In an i386 up to date 16.04 VM:
1. in one terminal, run this:
$ cat reproducer.sh
#!/bin/sh
set -e
sudo sysctl -w kernel.printk_ratelimit=0
sudo snap install hello-world || true
count=0
while /bin/true ; do
count=$((count+1))
if [ `echo "$count % 100" | bc` -eq 0 ]; then
echo "$count runs"
fi
hello-world > /dev/null || {
tail -100 /var/log/syslog | grep DEN && exit
}
sudo cat /run/snapd/ns/hello-world.mnt 2>/dev/null || sudo
/usr/lib/snapd/snap-discard-ns hello-world
done
2. in another terminal run:
$ while /bin/true ;do sudo apparmor_parser -r /etc/apparmor.d/* >/dev/null
2>&1 ; done
3. In another terminal:
$ tail -f /var/log/syslog|grep DEN
This is not limited to i386.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1634753/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660840] [NEW] apparmor oops in bind_mnt when dev_path lookup fails
Public bug reported: Bind mounts can oops when devname lookup fails because the devname is unintialized and used in auditing the denial. ** Affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660840 Title: apparmor oops in bind_mnt when dev_path lookup fails Status in linux package in Ubuntu: New Bug description: Bind mounts can oops when devname lookup fails because the devname is unintialized and used in auditing the denial. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660840/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660836] [NEW] apparmor auditing denied access of special apparmor .null fi\ le
Public bug reported: When an fd is disallowed from being inherited during exec, instead of closed it is duped to a special apparmor/.null file. This prevents the fd from being reused by another file in case the application expects the original file on a give fd (eg stdin/stdout etc). This results in a denial message like [32375.561535] audit: type=1400 audit(1478825963.441:358): apparmor="DENIED" op\ eration="file_inherit" namespace="root//lxd-t_" profile="/sbin/dhc\ lient" name="/dev/pts/1" pid=16795 comm="dhclient" requested_mask="wr" denied_m\ ask="wr" fsuid=165536 ouid=165536 Further access to the fd is resultin in the rather useless denial message of [32375.566820] audit: type=1400 audit(1478825963.445:359): apparmor="DENIED" op\ eration="file_perm" namespace="root//lxd-t_" profile="/sbin/dhclie\ nt" name="/apparmor/.null" pid=16795 comm="dhclient" requested_mask="w" denied_\ mask="w" fsuid=165536 ouid=0 since we have the original denial, the noisy and useless .null based denials can be skipped. ** Affects: linux (Ubuntu) Importance: Undecided Status: Incomplete ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: Incomplete ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: Incomplete ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: Incomplete ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660836 Title: apparmor auditing denied access of special apparmor .null fi\ le Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Incomplete Status in linux source package in Yakkety: Incomplete Status in linux source package in Zesty: Incomplete Bug description: When an fd is disallowed from being inherited during exec, instead of closed it is duped to a special apparmor/.null file. This prevents the fd from being reused by another file in case the application expects the original file on a give fd (eg stdin/stdout etc). This results in a denial message like [32375.561535] audit: type=1400 audit(1478825963.441:358): apparmor="DENIED" op\ eration="file_inherit" namespace="root//lxd-t_" profile="/sbin/dhc\ lient" name="/dev/pts/1" pid=16795 comm="dhclient" requested_mask="wr" denied_m\ ask="wr" fsuid=165536 ouid=165536 Further access to the fd is resultin in the rather useless denial message of [32375.566820] audit: type=1400 audit(1478825963.445:359): apparmor="DENIED" op\ eration="file_perm" namespace="root//lxd-t_" profile="/sbin/dhclie\ nt" name="/apparmor/.null" pid=16795 comm="dhclient" requested_mask="w" denied_\ mask="w" fsuid=165536 ouid=0 since we have the original denial, the noisy and useless .null based denials can be skipped. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660836/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660833] [NEW] apparmor reference count bug in label_merge_insert()
Public bug reported: @new does not have a reference taken locally and should not have its reference put locally either. ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660833 Title: apparmor reference count bug in label_merge_insert() Status in linux package in Ubuntu: New Status in linux source package in Xenial: New Status in linux source package in Yakkety: New Status in linux source package in Zesty: New Bug description: @new does not have a reference taken locally and should not have its reference put locally either. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660833/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660832] [NEW] unix domain socket cross permission check failing with nested namespaces
Public bug reported: When using nested namespaces policy within the nested namespace is trying to cross validate with policy outside of the namespace that is not visible to it. This results the access being denied and with no way to add a rule to policy that would allow it. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu) Importance: Undecided Status: Incomplete ** Affects: apparmor (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: apparmor (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: apparmor (Ubuntu Zesty) Importance: Undecided Status: New ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: Incomplete ** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660832 Title: unix domain socket cross permission check failing with nested namespaces Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: Incomplete Status in apparmor source package in Xenial: New Status in linux source package in Xenial: New Status in apparmor source package in Yakkety: New Status in linux source package in Yakkety: New Status in apparmor source package in Zesty: New Status in linux source package in Zesty: Incomplete Bug description: When using nested namespaces policy within the nested namespace is trying to cross validate with policy outside of the namespace that is not visible to it. This results the access being denied and with no way to add a rule to policy that would allow it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1660832/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1660834] [NEW] apparmor label leak when new label is unused
Public bug reported: When a new label is created, it is created with a proxy in a circular ref count that is broken by replacement. However if the label is not used it will never be replaced and the circular ref count will never be broken resulting in a leak. ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1660834 Title: apparmor label leak when new label is unused Status in linux package in Ubuntu: New Status in linux source package in Xenial: New Status in linux source package in Yakkety: New Status in linux source package in Zesty: New Bug description: When a new label is created, it is created with a proxy in a circular ref count that is broken by replacement. However if the label is not used it will never be replaced and the circular ref count will never be broken resulting in a leak. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660834/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1658625] Re: linux i386 ADT apparmor self-tests OOM machine with linux-4.9.0-12.13
There are definitely, several ref count leaks that can lead to memory leaking during policy replacement. I haven't been able to trace down every leak yet, but the kernel in http://people.canonical.com/~jj/lp1656121/ contains several fixes that should help. I need to finish cleaning up the series and push it out this week. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658625 Title: linux i386 ADT apparmor self-tests OOM machine with linux-4.9.0-12.13 Status in linux package in Ubuntu: In Progress Bug description: Seems we are getting into an OOM situation when running ADT testing. This looks to be in the apparmor tests: 09:57:14 ERROR| [stderr] Run kernel regression tests from 14.04's apparmor_2.8.95~2430-0ubuntu5.3 ... ok 09:57:14 ERROR| [stderr] test_parser_testsuite (__main__.ApparmorTestsuites) 09:57:20 DEBUG| [stdout] (skipped: This test is only for 14.04 systems with the apparmor 2.10.95 SRU or newer installed) (skipped: This test is only for 14.04 systems with the apparmor 2.10.95 SRU or newer installed) 10:15:45 ERROR| [stderr] Run parser regression tests ... ok 10:15:46 ERROR| [stderr] test_regression_testsuite (__main__.ApparmorTestsuites) 10:15:48 DEBUG| [stdout] preparing apparmor_2.10.95-4ubuntu5.2.dsc... done 10:15:48 DEBUG| [stdout] Killed Console: autopkgtest login: [ 2838.328079] AppArmor: change_hat: Invalid input '^open'[ 2838.334310] AppArmor: change_hat: Invalid input '^' [ 2838.341460] AppArmor: change_hat: Invalid input, NULL hat and NULL magic[ 2838.349735] AppArmor: change_hat: Invalid input, NULL hat and NULL magic[ 2838.357374] AppArmor: change_hat: Invalid input '^open' AppArmor: change_hat: Invalid input '^'[ 2838.359310] AppArmor: change_hat: Invalid input '^' [ 2955.837326] Out of memory: Kill process 1554 (rsyslogd) score 6 or sacrifice child [ 2955.840293] Killed process 1554 (rsyslogd) total-vm:91072kB, anon-rss:52204kB, file-rss:2356kB, shmem-rss:0kB [ 3012.314564] Out of memory: Kill process 13148 (autotest-local) score 1 or sacrifice child [ 3012.315622] Killed process 24345 (autotest-local) total-vm:18040kB, anon-rss:7280kB, file-rss:3544kB, shmem-rss:0kB To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658625/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1630069] Re: Regression tests can not detect binfmt_elf mmpa semantic change
** Changed in: apparmor (Ubuntu) Status: New => Fix Released ** Changed in: apparmor Status: Fix Committed => Fix Released ** Changed in: linux (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1630069 Title: Regression tests can not detect binfmt_elf mmpa semantic change Status in AppArmor: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in linux package in Ubuntu: Fix Released Status in apparmor source package in Xenial: Fix Released Status in linux source package in Xenial: Invalid Status in apparmor source package in Yakkety: Won't Fix Status in linux source package in Yakkety: Fix Released Bug description: == apparmor SRU == [Impact] * The exec_stack.sh regression test fails due to a behavior change in 4.8 kernels from this patch: commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 Author: Linus Torvalds Date: Mon Aug 22 16:41:46 2016 -0700 binfmt_elf: switch to new creds when switching to new mm * The regression tests were fixed for this kernel change but they were fixed in a way that always assumed that kernel change is present. They should have been adjusted so that they act differently according to whether or not the kernel change is present (it is a change that could end up being backported through the stable trees). [Test Case] $ apt-get source apparmor # make sure this fetches the new apparmor source $ sudo apt-get install libapparmor-dev $ cd tests/regression/apparmor $ make USE_SYSTEM=1 $ sudo bash exec_stack.sh The previous command should result in no output and return value of 0. [Regression Potential] * This is an extremely low risk change since it only touches regression testing code that is not user-facing. [Other] * Fixed in upstream lp:apparmor tree: https://bazaar.launchpad.net/~apparmor- dev/apparmor/master/revision/3558 == Original description == The regression tests are currently hard coded to the semantics of mmap in binfmt_elf With the recent upstream commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 the cred used for the mmap changed resulting in test failures. The tests have been patched for this change but it results in the test breaking for everyone using upstream releases against pre 4.8 kernels. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1630069/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1592547] Re: vmalloc failure leads to null ptr dereference in aa_dfa_next
** Changed in: apparmor Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1592547 Title: vmalloc failure leads to null ptr dereference in aa_dfa_next Status in AppArmor: Invalid Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Bug description: running stress-ng apparmor stressor with a vmalloc NULL return trips a null ptr dereference in aa_dfa_next: $ uname -a Linux ubuntu 4.4.0-24-generic #43 [ 46.271517] BUG: unable to handle kernel NULL pointer dereference at 0020 [ 46.271641] IP: [] aa_dfa_next+0x6/0x70 [ 46.271743] PGD 39ebd067 PUD 39ebe067 PMD 0 [ 46.271833] Oops: [#1] SMP [ 46.271926] Modules linked in: jitterentropy_rng algif_rng salsa20_generic salsa20_x86_64 camellia_generic camellia_aesni_avx_x86_64 camellia_x86_64 cast6_avx_x86_64 cast6_generic cast_common serpent_avx_x86_64 serpent_sse2_x86_64 serpent_generic twofish_generic twofish_avx_x86_64 twofish_x86_64_3way twofish_x86_64 twofish_common xts algif_skcipher tgr192 wp512 rmd320 rmd256 rmd160 rmd128 md4 algif_hash af_alg ppdev snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm input_leds joydev snd_timer serio_raw snd soundcore i2c_piix4 mac_hid 8250_fintek parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq [ 46.273290] libcrc32c raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl aesni_intel aes_x86_64 lrw gf128mul ttm drm_kms_helper glue_helper ablk_helper cryptd syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse drm floppy 8139cp mii pata_acpi [ 46.274250] CPU: 0 PID: 1349 Comm: stress-ng-appar Not tainted 4.4.0-24-generic #43 [ 46.274436] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 46.274632] task: 8800374be040 ti: 88003746c000 task.ti: 88003746c000 [ 46.274854] RIP: 0010:[] [] aa_dfa_next+0x6/0x70 [ 46.275072] RSP: 0018:88003746fca8 EFLAGS: 00010282 [ 46.275450] RAX: RBX: 0003 RCX: 4a46 [ 46.275934] RDX: 0002 RSI: 0001 RDI: [ 46.276348] RBP: 88003746fd28 R08: 88003fc19f40 R09: 88003e001d00 [ 46.276757] R10: 88003da8e600 R11: 88003e001500 R12: 88003746fd48 [ 46.276979] R13: 88003acc4800 R14: 88003acc4894 R15: 0029 [ 46.277202] FS: 7f7198a0f700() GS:88003fc0() knlGS: [ 46.277500] CS: 0010 DS: ES: CR0: 80050033 [ 46.278006] CR2: 0020 CR3: 39ebc000 CR4: 001406f0 [ 46.278592] Stack: [ 46.278846] 88003746fd28 81383585 [ 46.279271] 3746fd00 c9000268e400 [ 46.279860] 88003746fd40 5833b243 88003746fe28 [ 46.280311] Call Trace: [ 46.280606] [] ? unpack_profile+0x5c5/0x970 [ 46.280854] [] aa_unpack+0xe9/0x450 [ 46.281091] [] aa_replace_profiles+0x77/0xb70 [ 46.281341] [] ? vmalloc+0x6b/0x70 [ 46.281610] [] policy_update+0x9f/0x1f0 [ 46.281887] [] profile_replace+0x13/0x20 [ 46.282169] [] __vfs_write+0x18/0x40 [ 46.282444] [] vfs_write+0xa9/0x1a0 [ 46.282728] [] ? do_sys_open+0x1bf/0x2a0 [ 46.283418] [] SyS_write+0x55/0xc0 [ 46.284188] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 46.284753] Code: 0c 42 39 ce 74 d9 0f b6 02 41 0f b7 34 7b 84 c0 75 d9 eb c3 41 0f b7 34 44 eb 89 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 <48> 8b 47 20 4c 8b 5f 28 4c 8b 57 40 48 89 e5 4c 8b 4f 18 48 8d [ 46.285401] RIP [] aa_dfa_next+0x6/0x70 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1592547/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1651944] Re: Kernel panic when we call pipework to setup virtual network for docker containers
sudo snap refresh should refresh the kernel snap. However the suspected fix will not be in any snap kernel, nor can I atm build you a kernel snap to test with. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1651944 Title: Kernel panic when we call pipework to setup virtual network for docker containers Status in AppArmor: New Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: I found a kernel panic issue when I was using pipework to config the network of a docker container on an x86 board with all-snap image. The issue is related to the auditing module of Linux kernel. So it should be an issue of pc-kernel-snap. I created a simple test snap to reproduce the issue and upload it to github. https://github.com/pliu6/docker-snap-test Software environment to reproduce the bug: #snap list Name Version Rev Developer Notes core 16.04.1 714 canonical - docker 1.11.2-956 canonical devmode dockertest 0.0.1 x12 devmode pc 16.04-0.8 9canonical - pc-kernel4.4.0-53-2 51 canonical - The log is below: [ 504.783341] BUG: unable to handle kernel paging request at fff3 [ 504.867186] IP: [] strlen+0x0/0x20 [ 504.926879] PGD 1e0d067 PUD 1e0f067 PMD 0 [ 504.976588] Oops: [#1] SMP [ 505.015690] Modules linked in: veth xt_addrtype br_netfilter ipt_REJECT nf_reject_ipv4 ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_comment xt_conntrack iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack bridge stp llc overlay aufs arc4 ath9k ath9k_common ath9k_hw ath mac80211 c fg80211 kvm_amd uas kvm irqbypass k10temp r8169 mii sp5100_tco mac_hid i2c_piix4 shpchp iptable_filter ip_tables ip6table_filter ip6_tables x_tables aut ofs4 mmc_block sdhci_acpi sdhci_pci sdhci virtio_scsi nls_iso8859_1 usb_storage ahci libahci [ 505.599099] CPU: 1 PID: 2414 Comm: snap-confine Not tainted 4.4.0-53-generic #74-Ubuntu [ 505.694977] Hardware name: PC Engines APU, BIOS SageBios_PCEngines_APU-45 04/05/2014 [ 505.787738] task: 880037637080 ti: 880061a7 task.ti: 880061a7 [ 505.877382] RIP: 0010:[] [] strlen+0x0/0x20 [ 505.966192] RSP: 0018:880061a73a20 EFLAGS: 00010246 [ 506.029835] RAX: 880061a73b20 RBX: fff3 RCX: [ 506.115320] RDX: 014e RSI: fff3 RDI: fff3 [ 506.200802] RBP: 880061a73a38 R08: 88005c835138 R09: 880061a73a94 [ 506.286283] R10: 000e R11: 88005c835131 R12: 88007aff0480 [ 506.371767] R13: 880037637080 R14: 81399fc0 R15: fff3 [ 506.457251] FS: 7fa9f36aa740() GS:88007df0() knlGS: [ 506.554170] CS: 0010 DS: ES: CR0: 80050033 [ 506.623014] CR2: fff3 CR3: 7853e000 CR4: 06e0 [ 506.708497] Stack: [ 506.732624] 81122a1a 88007aff0480 880061a73b00 880061a73a60 [ 506.822056] 8139a028 88007aff0480 880061a73b00 880037637080 [ 506.911490] 880061a73ad8 8136f088 812285c0 880061a73af0 [ 507.000926] Call Trace: [ 507.030263] [] ? audit_log_untrustedstring+0x1a/0x30 [ 507.109502] [] audit_cb+0x68/0x3f0 [ 507.170027] [] common_lsm_audit+0x1b8/0x740 [ 507.239910] [] ? alloc_inode+0x50/0x90 [ 507.304593] [] ? prepend_path+0xc6/0x2a0 [ 507.371358] [] aa_audit+0x5f/0x170 [ 507.431880] [] audit_mount+0x152/0x160 [ 507.496567] [] match_mnt_path_str+0x1dd/0x490 [ 507.568529] [] ? dentry_path+0x18/0x70 [ 507.633213] [] match_mnt+0xda/0x150 [ 507.694776] [] aa_bind_mount+0x100/0x180 [ 507.761540] [] wrap_apparmor_sb_mount+0x1c0/0x270 [ 507.837664] [] security_sb_mount+0x57/0x80 [ 507.906506] [] do_mount+0xab/0xde0 [ 507.967032] [] ? __kmalloc_track_caller+0x1b4/0x250 [ 508.045236] [] ? hrtimer_try_to_cancel+0xd1/0x130 [ 508.121361] [] ? memdup_user+0x42/0x70 [ 508.186042] [] SyS_mount+0x9f/0x100 [ 508.247607] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 508.324765] Code: 89 f8 48 89 e5 f6 82 a0 05 a5 81 20 74 10 48 83 c0 01 0f b6 10 f6 82 a0 05 a5 81 20 75 f0 5d c3 90 66 2e 0f 1f 84 00 00 00 00 00 <8 0> 3f 00 55 48 89 e5 74 11 48 89 f8 48 83 c0 01 80 38 00 75 f7 [ 508.564156] RIP [] strlen+0x0/0x20 [ 508.624889] RSP [ 508.96] CR2: fff3 [ 508.706425] ---[ end trace 9a8196367a1a3630 ]--- To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1651944/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-
[Kernel-packages] [Bug 1651944] Re: Kernel panic when we call pipework to setup virtual network for docker containers
Ignore the request to test the upstream kernel, for the moment. In this case the apparmor code that is in the trace does not exist upstream. Instead could you test the kernel in http://people.canonical.com/~jj/lp1648143/ While listed as being for bug 1648143, it contains several fixes including a fix to the bind mount code. That will be pushed up to the ubuntu kernel this week. If this still exhibits the fault then, please test the upstream kernel to verify that the bug is indeed in apparmor, and not being triggered else where and showing up in apparmor. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1651944 Title: Kernel panic when we call pipework to setup virtual network for docker containers Status in AppArmor: New Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: I found a kernel panic issue when I was using pipework to config the network of a docker container on an x86 board with all-snap image. The issue is related to the auditing module of Linux kernel. So it should be an issue of pc-kernel-snap. I created a simple test snap to reproduce the issue and upload it to github. https://github.com/pliu6/docker-snap-test Software environment to reproduce the bug: #snap list Name Version Rev Developer Notes core 16.04.1 714 canonical - docker 1.11.2-956 canonical devmode dockertest 0.0.1 x12 devmode pc 16.04-0.8 9canonical - pc-kernel4.4.0-53-2 51 canonical - The log is below: [ 504.783341] BUG: unable to handle kernel paging request at fff3 [ 504.867186] IP: [] strlen+0x0/0x20 [ 504.926879] PGD 1e0d067 PUD 1e0f067 PMD 0 [ 504.976588] Oops: [#1] SMP [ 505.015690] Modules linked in: veth xt_addrtype br_netfilter ipt_REJECT nf_reject_ipv4 ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_comment xt_conntrack iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack bridge stp llc overlay aufs arc4 ath9k ath9k_common ath9k_hw ath mac80211 c fg80211 kvm_amd uas kvm irqbypass k10temp r8169 mii sp5100_tco mac_hid i2c_piix4 shpchp iptable_filter ip_tables ip6table_filter ip6_tables x_tables aut ofs4 mmc_block sdhci_acpi sdhci_pci sdhci virtio_scsi nls_iso8859_1 usb_storage ahci libahci [ 505.599099] CPU: 1 PID: 2414 Comm: snap-confine Not tainted 4.4.0-53-generic #74-Ubuntu [ 505.694977] Hardware name: PC Engines APU, BIOS SageBios_PCEngines_APU-45 04/05/2014 [ 505.787738] task: 880037637080 ti: 880061a7 task.ti: 880061a7 [ 505.877382] RIP: 0010:[] [] strlen+0x0/0x20 [ 505.966192] RSP: 0018:880061a73a20 EFLAGS: 00010246 [ 506.029835] RAX: 880061a73b20 RBX: fff3 RCX: [ 506.115320] RDX: 014e RSI: fff3 RDI: fff3 [ 506.200802] RBP: 880061a73a38 R08: 88005c835138 R09: 880061a73a94 [ 506.286283] R10: 000e R11: 88005c835131 R12: 88007aff0480 [ 506.371767] R13: 880037637080 R14: 81399fc0 R15: fff3 [ 506.457251] FS: 7fa9f36aa740() GS:88007df0() knlGS: [ 506.554170] CS: 0010 DS: ES: CR0: 80050033 [ 506.623014] CR2: fff3 CR3: 7853e000 CR4: 06e0 [ 506.708497] Stack: [ 506.732624] 81122a1a 88007aff0480 880061a73b00 880061a73a60 [ 506.822056] 8139a028 88007aff0480 880061a73b00 880037637080 [ 506.911490] 880061a73ad8 8136f088 812285c0 880061a73af0 [ 507.000926] Call Trace: [ 507.030263] [] ? audit_log_untrustedstring+0x1a/0x30 [ 507.109502] [] audit_cb+0x68/0x3f0 [ 507.170027] [] common_lsm_audit+0x1b8/0x740 [ 507.239910] [] ? alloc_inode+0x50/0x90 [ 507.304593] [] ? prepend_path+0xc6/0x2a0 [ 507.371358] [] aa_audit+0x5f/0x170 [ 507.431880] [] audit_mount+0x152/0x160 [ 507.496567] [] match_mnt_path_str+0x1dd/0x490 [ 507.568529] [] ? dentry_path+0x18/0x70 [ 507.633213] [] match_mnt+0xda/0x150 [ 507.694776] [] aa_bind_mount+0x100/0x180 [ 507.761540] [] wrap_apparmor_sb_mount+0x1c0/0x270 [ 507.837664] [] security_sb_mount+0x57/0x80 [ 507.906506] [] do_mount+0xab/0xde0 [ 507.967032] [] ? __kmalloc_track_caller+0x1b4/0x250 [ 508.045236] [] ? hrtimer_try_to_cancel+0xd1/0x130 [ 508.121361] [] ? memdup_user+0x42/0x70 [ 508.186042] [] SyS_mount+0x9f/0x100 [ 508.247607] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 508.324765] Code: 89 f8 48 89 e5 f6 82 a0 05 a5 81 20 74 10 48 83 c0 01 0f b6 10 f6 82 a0 05 a5 81 20 75 f0 5d c3 90 66 2e 0f 1f 84 00 00 00 00 00 <8 0> 3f 00 5
[Kernel-packages] [Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads
Christian,
could you please try against my test kernel? It has fixed the issue with
my local reproducer
The packages are in
http://people.canonical.com/~jj/linux+jj/
you can probably get away with just installing linux-
image-4.8.0-30-generic_4.8.0-30.32+lp1645037_amd64.deb but the other
packages are available if needed.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1645037
Title:
apparmor_parser hangs indefinitely when called by multiple threads
Status in apparmor package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
In Progress
Status in linux source package in Yakkety:
In Progress
Status in linux source package in Zesty:
In Progress
Bug description:
This bug surfaced when starting ~50 LXC container with LXD in parallel
multiple times:
# Create the containers
for c in c foo{1..50}; do lxc launch images:ubuntu/xenial $c; done
# Exectute this loop multiple times until you observe errors.
for c in c foo{1..50}; do lxc restart $c & done
After this you can
ps aux | grep apparmor
and you should see output similar to:
root 19774 0.0 0.0 12524 1116 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19775 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19776 0.0 0.0 13592 3224 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19778 0.0 0.0 13592 3384 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19780 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19782 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19783 0.0 0.0 13592 3388 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19784 0.0 0.0 13592 3252 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19794 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
root 19795 0.0 0.0 13592 3256 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
apparmor_parser remains stuck even after all LXC/LXD commands have
exited.
dmesg output yields lines like:
[41902.815174] audit: type=1400 audit(1480191089.678:43):
apparmor="STATUS" operation="profile_load" profile="unconfined" name
="lxd-foo30_" pid=12545 comm="apparmor_parser"
and cat /proc/12545/stack shows:
[] aa_remove_profiles+0x88/0x270
21:19 brauner [] profile_remove+0x144/0x2e0
21:19 brauner [] __vfs_write+0x18/0x40
21:19 brauner [] vfs_write+0xb8/0x1b0
21:19 brauner [] SyS_write+0x55/0xc0
21:19 brauner [] entry_SYSCALL_64_fastpath+0x1e/0xa8
21:19 brauner [] 0x
This looks like a potential kernel bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1645037/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads
I have fully replicated this with just the apparmor_parser, and bash. It
requires using both the fs based namespace mkdir/rmdir namespace
interface and regular profile replacement/removal at the same time.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1645037
Title:
apparmor_parser hangs indefinitely when called by multiple threads
Status in apparmor package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
In Progress
Status in linux source package in Yakkety:
In Progress
Status in linux source package in Zesty:
In Progress
Bug description:
This bug surfaced when starting ~50 LXC container with LXD in parallel
multiple times:
# Create the containers
for c in c foo{1..50}; do lxc launch images:ubuntu/xenial $c; done
# Exectute this loop multiple times until you observe errors.
for c in c foo{1..50}; do lxc restart $c & done
After this you can
ps aux | grep apparmor
and you should see output similar to:
root 19774 0.0 0.0 12524 1116 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19775 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19776 0.0 0.0 13592 3224 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19778 0.0 0.0 13592 3384 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19780 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19782 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19783 0.0 0.0 13592 3388 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19784 0.0 0.0 13592 3252 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19794 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
root 19795 0.0 0.0 13592 3256 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
apparmor_parser remains stuck even after all LXC/LXD commands have
exited.
dmesg output yields lines like:
[41902.815174] audit: type=1400 audit(1480191089.678:43):
apparmor="STATUS" operation="profile_load" profile="unconfined" name
="lxd-foo30_" pid=12545 comm="apparmor_parser"
and cat /proc/12545/stack shows:
[] aa_remove_profiles+0x88/0x270
21:19 brauner [] profile_remove+0x144/0x2e0
21:19 brauner [] __vfs_write+0x18/0x40
21:19 brauner [] vfs_write+0xb8/0x1b0
21:19 brauner [] SyS_write+0x55/0xc0
21:19 brauner [] entry_SYSCALL_64_fastpath+0x1e/0xa8
21:19 brauner [] 0x
This looks like a potential kernel bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1645037/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads
I think I may have replicated, in that I got log entries with task
blocked for more than 120 seconds, very similar to the above logs. And
the apparmor_parser could running ps on the system did show several
apparmor_parsers waiting. However it did not crash nor did the
apparmor_parser instances hang for ever, it all eventually cleared up.
To replicate I overloaded the system spawning 1000 apparmor_parsers
loading/replacing profiles and 1000 apparmor_parsers removing profiles.
This resulted in each parser competing for the policy load mutex lock,
that causes all loads and replaces to be serialized. With the system
under very high load several processes even after obtaining the policy
mutex would be slept waiting on the memory subsystem and oom killer.
This isn't an exact parallel as I didn't cause it to create namespaces
etc, I am now planning to do that as another round of testing.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1645037
Title:
apparmor_parser hangs indefinitely when called by multiple threads
Status in apparmor package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
In Progress
Status in linux source package in Yakkety:
In Progress
Status in linux source package in Zesty:
In Progress
Bug description:
This bug surfaced when starting ~50 LXC container with LXD in parallel
multiple times:
# Create the containers
for c in c foo{1..50}; do lxc launch images:ubuntu/xenial $c; done
# Exectute this loop multiple times until you observe errors.
for c in c foo{1..50}; do lxc restart $c & done
After this you can
ps aux | grep apparmor
and you should see output similar to:
root 19774 0.0 0.0 12524 1116 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19775 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19776 0.0 0.0 13592 3224 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19778 0.0 0.0 13592 3384 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19780 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19782 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19783 0.0 0.0 13592 3388 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19784 0.0 0.0 13592 3252 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19794 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
root 19795 0.0 0.0 13592 3256 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
apparmor_parser remains stuck even after all LXC/LXD commands have
exited.
dmesg output yields lines like:
[41902.815174] audit: type=1400 audit(1480191089.678:43):
apparmor="STATUS" operation="profile_load" profile="unconfined" name
="lxd-foo30_" pid=12545 comm="apparmor_parser"
and cat /proc/12545/stack shows:
[] aa_remove_profiles+0x88/0x270
21:19 brauner [] profile_remove+0x144/0x2e0
21:19 brauner [] __vfs_write+0x18/0x40
21:19 brauner [] vfs_write+0xb8/0x1b0
21:19 brauner [] SyS_write+0x55/0xc0
21:19 brauner [] entry_SYSCALL_64_fastpath+0x1e/0xa8
21:19 brauner [] 0x
This looks like a potential kernel bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1645037/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads
No, I haven't. I have been using the instructions you provided with no
success. I have started some tests doing lower level direct calls of
replace and reload so that I can have even more concurrency.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1645037
Title:
apparmor_parser hangs indefinitely when called by multiple threads
Status in apparmor package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
In Progress
Status in linux source package in Yakkety:
In Progress
Status in linux source package in Zesty:
In Progress
Bug description:
This bug surfaced when starting ~50 LXC container with LXD in parallel
multiple times:
# Create the containers
for c in c foo{1..50}; do lxc launch images:ubuntu/xenial $c; done
# Exectute this loop multiple times until you observe errors.
for c in c foo{1..50}; do lxc restart $c & done
After this you can
ps aux | grep apparmor
and you should see output similar to:
root 19774 0.0 0.0 12524 1116 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19775 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19776 0.0 0.0 13592 3224 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19778 0.0 0.0 13592 3384 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19780 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19782 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19783 0.0 0.0 13592 3388 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19784 0.0 0.0 13592 3252 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19794 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
root 19795 0.0 0.0 13592 3256 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
apparmor_parser remains stuck even after all LXC/LXD commands have
exited.
dmesg output yields lines like:
[41902.815174] audit: type=1400 audit(1480191089.678:43):
apparmor="STATUS" operation="profile_load" profile="unconfined" name
="lxd-foo30_" pid=12545 comm="apparmor_parser"
and cat /proc/12545/stack shows:
[] aa_remove_profiles+0x88/0x270
21:19 brauner [] profile_remove+0x144/0x2e0
21:19 brauner [] __vfs_write+0x18/0x40
21:19 brauner [] vfs_write+0xb8/0x1b0
21:19 brauner [] SyS_write+0x55/0xc0
21:19 brauner [] entry_SYSCALL_64_fastpath+0x1e/0xa8
21:19 brauner [] 0x
This looks like a potential kernel bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1645037/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads
How reliable/repeatable is this for you?
I have been hammering a machine for multiple days and not been able to
trip this once.
I have been using the 4.8 ubuntu kernel the ubuntu-lxc/daily and the
ubuntu-lxc/stable ppas. Any more info you can provide?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1645037
Title:
apparmor_parser hangs indefinitely when called by multiple threads
Status in apparmor package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
In Progress
Status in linux source package in Yakkety:
In Progress
Status in linux source package in Zesty:
In Progress
Bug description:
This bug surfaced when starting ~50 LXC container with LXD in parallel
multiple times:
# Create the containers
for c in c foo{1..50}; do lxc launch images:ubuntu/xenial $c; done
# Exectute this loop multiple times until you observe errors.
for c in c foo{1..50}; do lxc restart $c & done
After this you can
ps aux | grep apparmor
and you should see output similar to:
root 19774 0.0 0.0 12524 1116 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19775 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19776 0.0 0.0 13592 3224 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19778 0.0 0.0 13592 3384 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19780 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19782 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19783 0.0 0.0 13592 3388 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19784 0.0 0.0 13592 3252 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19794 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
root 19795 0.0 0.0 13592 3256 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
apparmor_parser remains stuck even after all LXC/LXD commands have
exited.
dmesg output yields lines like:
[41902.815174] audit: type=1400 audit(1480191089.678:43):
apparmor="STATUS" operation="profile_load" profile="unconfined" name
="lxd-foo30_" pid=12545 comm="apparmor_parser"
and cat /proc/12545/stack shows:
[] aa_remove_profiles+0x88/0x270
21:19 brauner [] profile_remove+0x144/0x2e0
21:19 brauner [] __vfs_write+0x18/0x40
21:19 brauner [] vfs_write+0xb8/0x1b0
21:19 brauner [] SyS_write+0x55/0xc0
21:19 brauner [] entry_SYSCALL_64_fastpath+0x1e/0xa8
21:19 brauner [] 0x
This looks like a potential kernel bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1645037/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1645037] Re: apparmor_parser hangs indefinitely when called by multiple threads
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: linux (Ubuntu Yakkety)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: linux (Ubuntu Zesty)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: linux (Ubuntu Zesty)
Status: Triaged => In Progress
** Changed in: linux (Ubuntu Yakkety)
Status: Triaged => In Progress
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1645037
Title:
apparmor_parser hangs indefinitely when called by multiple threads
Status in apparmor package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
In Progress
Status in linux source package in Yakkety:
In Progress
Status in linux source package in Zesty:
In Progress
Bug description:
This bug surfaced when starting ~50 LXC container with LXD in parallel
multiple times:
# Create the containers
for c in c foo{1..50}; do lxc launch images:ubuntu/xenial $c; done
# Exectute this loop multiple times until you observe errors.
for c in c foo{1..50}; do lxc restart $c & done
After this you can
ps aux | grep apparmor
and you should see output similar to:
root 19774 0.0 0.0 12524 1116 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19775 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19776 0.0 0.0 13592 3224 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo30
root 19778 0.0 0.0 13592 3384 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo26
root 19780 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19782 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19783 0.0 0.0 13592 3388 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo43
root 19784 0.0 0.0 13592 3252 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo34
root 19794 0.0 0.0 12524 1208 pts/1S+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
root 19795 0.0 0.0 13592 3256 pts/1D+ 20:14 0:00
apparmor_parser -RWL /var/lib/lxd/security/apparmor/cache
/var/lib/lxd/security/apparmor/profiles/lxd-foo25
apparmor_parser remains stuck even after all LXC/LXD commands have
exited.
dmesg output yields lines like:
[41902.815174] audit: type=1400 audit(1480191089.678:43):
apparmor="STATUS" operation="profile_load" profile="unconfined" name
="lxd-foo30_" pid=12545 comm="apparmor_parser"
and cat /proc/12545/stack shows:
[] aa_remove_profiles+0x88/0x270
21:19 brauner [] profile_remove+0x144/0x2e0
21:19 brauner [] __vfs_write+0x18/0x40
21:19 brauner [] vfs_write+0xb8/0x1b0
21:19 brauner [] SyS_write+0x55/0xc0
21:19 brauner [] entry_SYSCALL_64_fastpath+0x1e/0xa8
21:19 brauner [] 0x
This looks like a potential kernel bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1645037/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1634753] Re: srcname from mount rule corrupted under load
I have done some light testing on this, trying to develop a none snap
based test to verify it. The test is no where near as reliable as the
snappy test. I haven't been able to trigger the bug on the new kernel
yet, with the caveat that it could just be the test. I am inclined to
declare this verified.
** Tags removed: verification-needed-trusty
** Tags added: verification-done-trusty
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1634753
Title:
srcname from mount rule corrupted under load
Status in AppArmor:
In Progress
Status in linux package in Ubuntu:
Triaged
Status in linux source package in Precise:
Invalid
Status in linux source package in Trusty:
Fix Committed
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Invalid
Bug description:
This came up in snapd spread tests but can be reproduced with:
In an i386 up to date 16.04 VM:
1. in one terminal, run this:
$ cat reproducer.sh
#!/bin/sh
set -e
sudo sysctl -w kernel.printk_ratelimit=0
sudo snap install hello-world || true
count=0
while /bin/true ; do
count=$((count+1))
if [ `echo "$count % 100" | bc` -eq 0 ]; then
echo "$count runs"
fi
hello-world > /dev/null || {
tail -100 /var/log/syslog | grep DEN && exit
}
sudo cat /run/snapd/ns/hello-world.mnt 2>/dev/null || sudo
/usr/lib/snapd/snap-discard-ns hello-world
done
2. in another terminal run:
$ while /bin/true ;do sudo apparmor_parser -r /etc/apparmor.d/* >/dev/null
2>&1 ; done
3. In another terminal:
$ tail -f /var/log/syslog|grep DEN
This is not limited to i386.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1634753/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1611078] Re: Support snaps inside of lxd containers
note: that for xenial there are several pieces that must land as different SRUs. Just using the xenial SRU kernel is not sufficient. There is an apparmor userspace SRU that is required, and squashfuse sru ... -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1611078 Title: Support snaps inside of lxd containers Status in Snappy: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in linux package in Ubuntu: Fix Released Status in lxd package in Ubuntu: Fix Released Status in apparmor source package in Xenial: Confirmed Status in linux source package in Xenial: Fix Committed Status in lxd source package in Xenial: Fix Committed Status in apparmor source package in Yakkety: Fix Released Status in linux source package in Yakkety: Fix Released Status in lxd source package in Yakkety: Fix Released Bug description: I tried following the instructions on snapcraft.io and got a failure. See the output below. I've also attached the relevant output from running "journalctl -xe". uname: Linux 3.19.0-65-generic x86_64 release: Ubuntu 16.04 package: snapd 2.11+0.16.04 Notably, I'm running this in an LXD container (version: 2.0.0.rc9). - $ sudo snap install hello-world 64.75 MB / 64.75 MB [==] 100.00 % 2.85 MB/s error: cannot perform the following tasks: - Mount snap "ubuntu-core" (122) ([start snap-ubuntu\x2dcore-122.mount] failed with exit status 1: Job for snap-ubuntu\x2dcore-122.mount failed. See "systemctl status "snap-ubuntu\\x2dcore-122.mount"" and "journalctl -xe" for details. ) $ ls -la /snap total 4K drwxr-xr-x 3 root root 4096 Aug 8 17:49 ubuntu-core $ ls -la /snap/ubuntu-core/ total 4K drwxr-xr-x 2 root root 4096 Aug 8 17:49 122 $ ls -la /snap/ubuntu-core/122/ total 0K $ systemctl status "snap-ubuntu\\x2dcore-122.mount" ● snap-ubuntu\x2dcore-122.mount - Mount unit for ubuntu-core Loaded: loaded (/etc/systemd/system/snap-ubuntu\x2dcore-122.mount; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2016-08-08 17:49:36 UTC; 6min ago Where: /snap/ubuntu-core/122 What: /var/lib/snapd/snaps/ubuntu-core_122.snap Process: 31781 ExecMount=/bin/mount /var/lib/snapd/snaps/ubuntu-core_122.snap /snap/ubuntu-core/122 -t squashfs (code=exited, status=32) Aug 08 17:49:35 my-host systemd[1]: Mounting Mount unit for ubuntu-core... Aug 08 17:49:35 my-host mount[31781]: mount: /snap/ubuntu-core/122: mount failed: Unknown error -1 Aug 08 17:49:36 my-host systemd[1]: snap-ubuntu\x2dcore-122.mount: Mount process exited, code=exited status=32 Aug 08 17:49:36 my-host systemd[1]: Failed to mount Mount unit for ubuntu-core. Aug 08 17:49:36 my-host systemd[1]: snap-ubuntu\x2dcore-122.mount: Unit entered failed state. To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1611078/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1637437] Re: linux 3.13.0-101.148 ADT test failure with linux 3.13.0-101.148
This appears to be a problem with the test ** Changed in: linux (Ubuntu) Status: Confirmed => Invalid ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1637437 Title: linux 3.13.0-101.148 ADT test failure with linux 3.13.0-101.148 Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Invalid Bug description: Testing failed on: amd64: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-trusty/trusty/amd64/l/linux/20161024_111739_42e49@/log.gz To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1637437/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1637440] Re: linux 4.4.0-46.67 ADT test failure with linux 4.4.0-46.67
This appears to be an issue with the test. ** Changed in: linux (Ubuntu) Status: Confirmed => Invalid ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1637440 Title: linux 4.4.0-46.67 ADT test failure with linux 4.4.0-46.67 Status in apparmor package in Ubuntu: Confirmed Status in linux package in Ubuntu: Invalid Bug description: Testing failed on: i386: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/i386/l/linux/20161027_080747_183c5@/log.gz To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1637440/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1638996] Re: apparmor's raw_data file in securityfs is sometimes truncated
I need more information about what else is going on, on the system when the this triggers is there profile replacement happening, what kind of load, ... so far I have been unable to trigger this, and the code looks good ** Changed in: linux (Ubuntu) Status: In Progress => Incomplete -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1638996 Title: apparmor's raw_data file in securityfs is sometimes truncated Status in linux package in Ubuntu: Incomplete Bug description: Hi, It looks like sometimes apparmor's securityfs output is sometimes truncated, root@zesty:/sys/kernel/security/apparmor/policy/namespaces/lxd-zest_/profiles/usr.lib.snapd.snap-confine.1# ls -al total 0 drwxr-xr-x 3 root root 0 Nov 3 16:45 . drwxr-xr-x 13 root root 0 Nov 3 16:44 .. -r--r--r-- 1 root root 0 Nov 3 16:45 attach -r--r--r-- 1 root root 0 Nov 3 16:45 mode -r--r--r-- 1 root root 0 Nov 3 16:45 name drwxr-xr-x 3 root root 0 Nov 3 16:45 profiles -r--r--r-- 1 root root 0 Nov 3 16:45 raw_abi -r--r--r-- 1 root root 46234 Nov 3 16:45 raw_data -r--r--r-- 1 root root 0 Nov 3 16:45 raw_hash -r--r--r-- 1 root root 0 Nov 3 16:45 sha1 root@zesty:/sys/kernel/security/apparmor/policy/namespaces/lxd-zest_/profiles/usr.lib.snapd.snap-confine.1# cat raw_data > /tmp/out root@zesty:/sys/kernel/security/apparmor/policy/namespaces/lxd-zest_/profiles/usr.lib.snapd.snap-confine.1# ls -al /tmp/out -rw-r--r-- 1 root root 4009 Nov 3 16:55 /tmp/out and 2016-11-03 10:58:01 tych0 jjohansen: hi, http://paste.ubuntu.com/23421551/ 2016-11-03 10:58:18 tych0 it looks like fstat is lying to me about the size of the policy 2016-11-03 10:59:20 @jjohansen tych0: hrmm interesting, can you zip up the /tmp/out file so I can see it looks like a complete policy file? 2016-11-03 11:00:03 @jjohansen something is definitely not right there. hrmmm 2016-11-03 11:00:26 @jjohansen the size is set by the input buffer size 2016-11-03 11:00:28 tych0 jjohansen: http://files.tycho.ws/tmp/out 2016-11-03 11:00:36 tych0 yeah, i assume 2016-11-03 11:01:15 @jjohansen my guess is something is messing up in the seq_file walk of the policy 2016-11-03 11:02:38 @jjohansen tych0: yep the file is truncated, can you open a bug and I will start looking for it 2016-11-03 11:03:14 tych0 jjohansen: sure, just on linux? 2016-11-03 11:03:35 @jjohansen tych0: yeah for now, just linux 2016-11-03 11:03:43 @jjohansen we can add others if needed later 2016-11-03 11:03:44 tych0 jjohansen: FWIW, somehow it seems racy, becasue sometimes it works and sometimes it doesn't To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1638996/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1638996] Re: apparmor's raw_data file in securityfs is sometimes truncated
** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed ** Changed in: linux (Ubuntu) Status: Confirmed => In Progress ** Changed in: linux (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1638996 Title: apparmor's raw_data file in securityfs is sometimes truncated Status in linux package in Ubuntu: In Progress Bug description: Hi, It looks like sometimes apparmor's securityfs output is sometimes truncated, root@zesty:/sys/kernel/security/apparmor/policy/namespaces/lxd-zest_/profiles/usr.lib.snapd.snap-confine.1# ls -al total 0 drwxr-xr-x 3 root root 0 Nov 3 16:45 . drwxr-xr-x 13 root root 0 Nov 3 16:44 .. -r--r--r-- 1 root root 0 Nov 3 16:45 attach -r--r--r-- 1 root root 0 Nov 3 16:45 mode -r--r--r-- 1 root root 0 Nov 3 16:45 name drwxr-xr-x 3 root root 0 Nov 3 16:45 profiles -r--r--r-- 1 root root 0 Nov 3 16:45 raw_abi -r--r--r-- 1 root root 46234 Nov 3 16:45 raw_data -r--r--r-- 1 root root 0 Nov 3 16:45 raw_hash -r--r--r-- 1 root root 0 Nov 3 16:45 sha1 root@zesty:/sys/kernel/security/apparmor/policy/namespaces/lxd-zest_/profiles/usr.lib.snapd.snap-confine.1# cat raw_data > /tmp/out root@zesty:/sys/kernel/security/apparmor/policy/namespaces/lxd-zest_/profiles/usr.lib.snapd.snap-confine.1# ls -al /tmp/out -rw-r--r-- 1 root root 4009 Nov 3 16:55 /tmp/out and 2016-11-03 10:58:01 tych0 jjohansen: hi, http://paste.ubuntu.com/23421551/ 2016-11-03 10:58:18 tych0 it looks like fstat is lying to me about the size of the policy 2016-11-03 10:59:20 @jjohansen tych0: hrmm interesting, can you zip up the /tmp/out file so I can see it looks like a complete policy file? 2016-11-03 11:00:03 @jjohansen something is definitely not right there. hrmmm 2016-11-03 11:00:26 @jjohansen the size is set by the input buffer size 2016-11-03 11:00:28 tych0 jjohansen: http://files.tycho.ws/tmp/out 2016-11-03 11:00:36 tych0 yeah, i assume 2016-11-03 11:01:15 @jjohansen my guess is something is messing up in the seq_file walk of the policy 2016-11-03 11:02:38 @jjohansen tych0: yep the file is truncated, can you open a bug and I will start looking for it 2016-11-03 11:03:14 tych0 jjohansen: sure, just on linux? 2016-11-03 11:03:35 @jjohansen tych0: yeah for now, just linux 2016-11-03 11:03:43 @jjohansen we can add others if needed later 2016-11-03 11:03:44 tych0 jjohansen: FWIW, somehow it seems racy, becasue sometimes it works and sometimes it doesn't To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1638996/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1634753] Re: srcname from mount rule corrupted under load
** Changed in: linux (Ubuntu Yakkety)
Status: Triaged => Invalid
** Also affects: linux (Ubuntu Trusty)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Trusty)
Status: New => Triaged
** Also affects: linux (Ubuntu Precise)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Precise)
Status: New => Invalid
** Changed in: linux (Ubuntu Trusty)
Importance: Undecided => High
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1634753
Title:
srcname from mount rule corrupted under load
Status in AppArmor:
In Progress
Status in linux package in Ubuntu:
Triaged
Status in linux source package in Precise:
Invalid
Status in linux source package in Trusty:
Triaged
Status in linux source package in Xenial:
Triaged
Status in linux source package in Yakkety:
Invalid
Bug description:
This came up in snapd spread tests but can be reproduced with:
In an i386 up to date 16.04 VM:
1. in one terminal, run this:
$ cat changehat_reproducer.sh
#!/bin/sh
set -e
sudo sysctl -w kernel.printk_ratelimit=0
sudo snap install hello-world || true
count=0
while /bin/true ; do
count=$((count+1))
if [ `echo "$count % 100" | bc` -eq 0 ]; then
echo "$count runs"
fi
hello-world > /dev/null || {
tail -100 /var/log/syslog | grep DEN && exit
}
sudo cat /run/snapd/ns/hello-world.mnt 2>/dev/null || sudo
/usr/lib/snapd/snap-discard-ns hello-world
done
2. in another terminal run:
$ while do /bin/true ; sudo apparmor_parser -r /etc/apparmor.d/* >/dev/null
2>&1 ; done
3. In another terminal:
$ tail -f /var/log/syslog|grep DEN
This is not limited to i386.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1634753/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1611078] Re: Support snaps inside of lxd containers
** Also affects: apparmor (Ubuntu Yakkety) Importance: Critical Assignee: Tyler Hicks (tyhicks) Status: Fix Released ** Also affects: linux (Ubuntu Yakkety) Importance: Critical Assignee: John Johansen (jjohansen) Status: Fix Released ** Also affects: lxd (Ubuntu Yakkety) Importance: Critical Assignee: Stéphane Graber (stgraber) Status: Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1611078 Title: Support snaps inside of lxd containers Status in Snappy: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in linux package in Ubuntu: Fix Released Status in lxd package in Ubuntu: Fix Released Status in apparmor source package in Xenial: New Status in linux source package in Xenial: Fix Committed Status in lxd source package in Xenial: Fix Committed Status in apparmor source package in Yakkety: Fix Released Status in linux source package in Yakkety: Fix Released Status in lxd source package in Yakkety: Fix Released Bug description: I tried following the instructions on snapcraft.io and got a failure. See the output below. I've also attached the relevant output from running "journalctl -xe". uname: Linux 3.19.0-65-generic x86_64 release: Ubuntu 16.04 package: snapd 2.11+0.16.04 Notably, I'm running this in an LXD container (version: 2.0.0.rc9). - $ sudo snap install hello-world 64.75 MB / 64.75 MB [==] 100.00 % 2.85 MB/s error: cannot perform the following tasks: - Mount snap "ubuntu-core" (122) ([start snap-ubuntu\x2dcore-122.mount] failed with exit status 1: Job for snap-ubuntu\x2dcore-122.mount failed. See "systemctl status "snap-ubuntu\\x2dcore-122.mount"" and "journalctl -xe" for details. ) $ ls -la /snap total 4K drwxr-xr-x 3 root root 4096 Aug 8 17:49 ubuntu-core $ ls -la /snap/ubuntu-core/ total 4K drwxr-xr-x 2 root root 4096 Aug 8 17:49 122 $ ls -la /snap/ubuntu-core/122/ total 0K $ systemctl status "snap-ubuntu\\x2dcore-122.mount" ● snap-ubuntu\x2dcore-122.mount - Mount unit for ubuntu-core Loaded: loaded (/etc/systemd/system/snap-ubuntu\x2dcore-122.mount; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2016-08-08 17:49:36 UTC; 6min ago Where: /snap/ubuntu-core/122 What: /var/lib/snapd/snaps/ubuntu-core_122.snap Process: 31781 ExecMount=/bin/mount /var/lib/snapd/snaps/ubuntu-core_122.snap /snap/ubuntu-core/122 -t squashfs (code=exited, status=32) Aug 08 17:49:35 my-host systemd[1]: Mounting Mount unit for ubuntu-core... Aug 08 17:49:35 my-host mount[31781]: mount: /snap/ubuntu-core/122: mount failed: Unknown error -1 Aug 08 17:49:36 my-host systemd[1]: snap-ubuntu\x2dcore-122.mount: Mount process exited, code=exited status=32 Aug 08 17:49:36 my-host systemd[1]: Failed to mount Mount unit for ubuntu-core. Aug 08 17:49:36 my-host systemd[1]: snap-ubuntu\x2dcore-122.mount: Unit entered failed state. To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1611078/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1630069] Re: Regression tests can not detect binfmt_elf mmpa semantic change
** Changed in: apparmor Status: New => Fix Committed ** Changed in: linux (Ubuntu Yakkety) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1630069 Title: Regression tests can not detect binfmt_elf mmpa semantic change Status in AppArmor: Fix Committed Status in linux package in Ubuntu: In Progress Status in linux source package in Yakkety: In Progress Bug description: The regression tests are currently hard coded to the semantics of mmap in binfmt_elf With the recent upstream commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 the cred used for the mmap changed resulting in test failures. The tests have been patched for this change but it results in the test breaking for everyone using upstream releases against pre 4.8 kernels. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1630069/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1630069] [NEW] Regression tests can not detect binfmt_elf mmpa semantic change
Public bug reported: The regression tests are currently hard coded to the semantics of mmap in binfmt_elf With the recent upstream commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 the cred used for the mmap changed resulting in test failures. The tests have been patched for this change but it results in the test breaking for everyone using upstream releases against pre 4.8 kernels. ** Affects: apparmor Importance: Undecided Assignee: John Johansen (jjohansen) Status: New ** Affects: linux (Ubuntu) Importance: Undecided Assignee: John Johansen (jjohansen) Status: Incomplete ** Affects: linux (Ubuntu Yakkety) Importance: Undecided Assignee: John Johansen (jjohansen) Status: Incomplete ** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Milestone: None => ubuntu-16.10 ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Yakkety) Assignee: (unassigned) => John Johansen (jjohansen) ** Changed in: apparmor Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1630069 Title: Regression tests can not detect binfmt_elf mmpa semantic change Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Yakkety: Incomplete Bug description: The regression tests are currently hard coded to the semantics of mmap in binfmt_elf With the recent upstream commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 the cred used for the mmap changed resulting in test failures. The tests have been patched for this change but it results in the test breaking for everyone using upstream releases against pre 4.8 kernels. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1630069/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1611078] Re: Support snaps inside of lxd containers
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Importance: Undecided => Critical ** Changed in: linux (Ubuntu) Status: New => In Progress ** Changed in: linux (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1611078 Title: Support snaps inside of lxd containers Status in lxd: Unknown Status in Snappy: Fix Committed Status in apparmor package in Ubuntu: In Progress Status in linux package in Ubuntu: In Progress Status in lxd package in Ubuntu: Fix Committed Bug description: I tried following the instructions on snapcraft.io and got a failure. See the output below. I've also attached the relevant output from running "journalctl -xe". uname: Linux 3.19.0-65-generic x86_64 release: Ubuntu 16.04 package: snapd 2.11+0.16.04 Notably, I'm running this in an LXD container (version: 2.0.0.rc9). - $ sudo snap install hello-world 64.75 MB / 64.75 MB [==] 100.00 % 2.85 MB/s error: cannot perform the following tasks: - Mount snap "ubuntu-core" (122) ([start snap-ubuntu\x2dcore-122.mount] failed with exit status 1: Job for snap-ubuntu\x2dcore-122.mount failed. See "systemctl status "snap-ubuntu\\x2dcore-122.mount"" and "journalctl -xe" for details. ) $ ls -la /snap total 4K drwxr-xr-x 3 root root 4096 Aug 8 17:49 ubuntu-core $ ls -la /snap/ubuntu-core/ total 4K drwxr-xr-x 2 root root 4096 Aug 8 17:49 122 $ ls -la /snap/ubuntu-core/122/ total 0K $ systemctl status "snap-ubuntu\\x2dcore-122.mount" ● snap-ubuntu\x2dcore-122.mount - Mount unit for ubuntu-core Loaded: loaded (/etc/systemd/system/snap-ubuntu\x2dcore-122.mount; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2016-08-08 17:49:36 UTC; 6min ago Where: /snap/ubuntu-core/122 What: /var/lib/snapd/snaps/ubuntu-core_122.snap Process: 31781 ExecMount=/bin/mount /var/lib/snapd/snaps/ubuntu-core_122.snap /snap/ubuntu-core/122 -t squashfs (code=exited, status=32) Aug 08 17:49:35 my-host systemd[1]: Mounting Mount unit for ubuntu-core... Aug 08 17:49:35 my-host mount[31781]: mount: /snap/ubuntu-core/122: mount failed: Unknown error -1 Aug 08 17:49:36 my-host systemd[1]: snap-ubuntu\x2dcore-122.mount: Mount process exited, code=exited status=32 Aug 08 17:49:36 my-host systemd[1]: Failed to mount Mount unit for ubuntu-core. Aug 08 17:49:36 my-host systemd[1]: snap-ubuntu\x2dcore-122.mount: Unit entered failed state. To manage notifications about this bug go to: https://bugs.launchpad.net/lxd/+bug/1611078/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1626984] Re: kernel BUG at /build/linux-lts-xenial-_hWfOZ/linux-lts-xenial-4.4.0/security/apparmor/include/context.h:69!
In testing I have not been able to reproduce. But from the oops it looks either like potentially like memory corruption, or corruption of the cred. The oops reports invalid opcode: [#1] SMP however the piece of code triggering this is used all the time, so the more likely scenario is that the cred does not have the correct security labeling which would trigger an oops. The oops would not normally be an invalid opcode, but its possible the handling within the oops is triggering the invalid opcode. The line of code triggering this oops is BUG_ON(!ctx || !ctx->label); which going with the bad cred hypothesis means the actual problem is else where. Tracing down the conditions that cause the bad cred may be difficult. With this being reported as fine in 14.04.5 with all 4.4.x kernels, and without further input to help trace down the conditions that cause this, I am inclined to close this bug as fixed. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1626984 Title: kernel BUG at /build/linux-lts-xenial-_hWfOZ/linux-lts- xenial-4.4.0/security/apparmor/include/context.h:69! Status in linux package in Ubuntu: Confirmed Bug description: I am runing sosreport on ubuntu 14.04.4 LTS which has upgrade the kernel to 4.4.0-38-generic, it get oops while copying /sys/module/apparmor/parameters/audit. and it also can be triggered with cat /sys/module/apparmor/parameters/audit. [ 213.174092] [ cut here ] [ 213.174130] kernel BUG at /build/linux-lts-xenial-_hWfOZ/linux-lts-xenial-4.4.0/security/apparmor/include/context.h:69! [ 213.174187] invalid opcode: [#1] SMP [ 213.174215] Modules linked in: ppdev lp joydev serio_raw parport_pc parport psmouse virtio_scsi floppy [ 213.174283] CPU: 0 PID: 2246 Comm: cat Not tainted 4.4.0-38-generic #57~14.04.1-Ubuntu [ 213.174324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 [ 213.174380] task: 880037b15780 ti: 8800399c4000 task.ti: 8800399c4000 [ 213.174419] RIP: 0010:[] [] aa_current_raw_label.part.6+0x4/0x6 [ 213.174478] RSP: 0018:8800399c7d60 EFLAGS: 00010246 [ 213.174506] RAX: RBX: 88003a426000 RCX: 88003e3802a0 [ 213.174542] RDX: 88003a426000 RSI: 81ddc0d8 RDI: 88003a426000 [ 213.174578] RBP: 8800399c7d60 R08: 88003e3802a0 R09: [ 213.174614] R10: 1000 R11: 0246 R12: 81e44ae0 [ 213.174658] R13: 88003e3802a0 R14: 81e4c220 R15: 88003c2b2e40 [ 213.174702] FS: 7f7bea106740() GS:88003fc0() knlGS: [ 213.174743] CS: 0010 DS: ES: CR0: 80050033 [ 213.174781] CR2: 00a40038 CR3: 3cdfa000 CR4: 06f0 [ 213.174819] Stack: [ 213.174832] 8800399c7d88 8136d58a 88003a426000 88003a426000 [ 213.174885] 88003e3802a0 8800399c7da0 8136fda2 88003e39c5f0 [ 213.174928] 8800399c7dd0 8109a7e4 88003c2b2e40 81a170c0 [ 213.174971] Call Trace: [ 213.174996] [] policy_view_capable+0x1ba/0x220 [ 213.175030] [] param_get_audit+0x12/0x50 [ 213.175062] [] param_attr_show+0x54/0xa0 [ 213.175092] [] module_attr_show+0x1d/0x30 [ 213.175130] [] sysfs_kf_seq_show+0xc2/0x1a0 [ 213.175162] [] kernfs_seq_show+0x23/0x30 [ 213.175199] [] seq_read+0xe5/0x350 [ 213.175227] [] kernfs_fop_read+0x10d/0x170 [ 213.176170] [] __vfs_read+0x18/0x40 [ 213.177101] [] vfs_read+0x7f/0x130 [ 213.178016] [] SyS_read+0x46/0xa0 [ 213.178932] [] entry_SYSCALL_64_fastpath+0x16/0x75 [ 213.179814] Code: 80 3d 1a 7f b8 00 00 75 1d 55 be 2e 00 00 00 48 c7 c7 f0 2f cb 81 48 89 e5 e8 7c 50 cf ff 5d c6 05 fb 7e b8 00 01 c3 55 48 89 e5 <0f> 0b b8 01 00 00 00 3e 0f c1 07 ff c0 ff c8 7f 26 80 3d df 7e [ 213.182634] RIP [] aa_current_raw_label.part.6+0x4/0x6 [ 213.183528] RSP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1626984/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615881] Re: The label build for onexec when stacking is wrong
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615881 Title: The label build for onexec when stacking is wrong Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: The label build for onexec when crossing a namespace boundry is not quite correct. The label needs to be built per profile and not based on the whole label because the onexec transition only applies to profiles within the ns. Where merging against the label could include profile that are transitioned via the profile_transition callback and should not be in the final label. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615881/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1593874] Re: warning stack trace while playing with apparmor namespaces
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1593874 Title: warning stack trace while playing with apparmor namespaces Status in linux package in Ubuntu: Expired Status in linux source package in Xenial: Fix Committed Bug description: I'm not sure what exactly I was doing when this happened, but something fairly basic (creating containers, adding/removing profiles). Let me know if you need more than the trace and I can try and figure out how to reproduce. Jun 17 20:20:06 dev kernel: [13314.032676] [ cut here ] Jun 17 20:20:06 dev kernel: [13314.032689] WARNING: CPU: 3 PID: 8964 at /build/linux-oXTOqc/linux-4.4.0/security/apparmor/label.c:82 __aa_proxy_redirect+0xff/0x130() Jun 17 20:20:06 dev kernel: [13314.032692] AppArmor WARN __aa_proxy_redirect: ((!!queued_write_can_lock(&(&(&(&((orig)->vec[0])))[(((orig)->size)) - 1])->ns))->labels)->lock)->raw_lock))): Jun 17 20:20:06 dev kernel: [13314.032693] Modules linked in: binfmt_misc veth xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables isofs zfs(PO) zunicode(PO) zcommon(PO) znvpair(PO) spl(O) zavl(PO) ppdev kvm_intel kvm joydev serio_raw irqbypass parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear psmouse floppy Jun 17 20:20:06 dev kernel: [13314.032751] CPU: 3 PID: 8964 Comm: lxd Tainted: P W O 4.4.0-24-generic #43-Ubuntu Jun 17 20:20:06 dev kernel: [13314.032753] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Jun 17 20:20:06 dev kernel: [13314.032756] 0286 dc104ca4 880044db3d18 813eab23 Jun 17 20:20:06 dev kernel: [13314.032760] 880044db3d60 81cec7f0 880044db3d50 810810d2 Jun 17 20:20:06 dev kernel: [13314.032763] 880047f04360 88007a08d360 88004a551b00 88004a551b38 Jun 17 20:20:06 dev kernel: [13314.032766] Call Trace: Jun 17 20:20:06 dev kernel: [13314.032773] [] dump_stack+0x63/0x90 Jun 17 20:20:06 dev kernel: [13314.032777] [] warn_slowpath_common+0x82/0xc0 Jun 17 20:20:06 dev kernel: [13314.032780] [] warn_slowpath_fmt+0x5c/0x80 Jun 17 20:20:06 dev kernel: [13314.032784] [] ? __list_remove_profile+0x62/0xe0 Jun 17 20:20:06 dev kernel: [13314.032788] [] __aa_proxy_redirect+0xff/0x130 Jun 17 20:20:06 dev kernel: [13314.032792] [] destroy_ns+0x86/0xa0 Jun 17 20:20:06 dev kernel: [13314.032794] [] __aa_remove_ns+0x2f/0x60 Jun 17 20:20:06 dev kernel: [13314.032798] [] aa_remove_profiles+0x193/0x270 Jun 17 20:20:06 dev kernel: [13314.032800] [] ? __aa_kvmalloc+0x41/0x60 Jun 17 20:20:06 dev kernel: [13314.032803] [] profile_remove+0x9e/0x1f0 Jun 17 20:20:06 dev kernel: [13314.032808] [] __vfs_write+0x18/0x40 Jun 17 20:20:06 dev kernel: [13314.032811] [] vfs_write+0xa9/0x1a0 Jun 17 20:20:06 dev kernel: [13314.032814] [] ? do_sys_open+0x1bf/0x2a0 Jun 17 20:20:06 dev kernel: [13314.032818] [] SyS_write+0x55/0xc0 Jun 17 20:20:06 dev kernel: [13314.032823] [] entry_SYSCALL_64_fastpath+0x16/0x71 Jun 17 20:20:06 dev kernel: [13314.032826] ---[ end trace 2eb06377c45f3d4c ]--- To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1593874/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615878] Re: __label_update proxy comparison test is wrong
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615878 Title: __label_update proxy comparison test is wrong Status in AppArmor: New Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: The comparing the proxy pointer, not the address of the labels proxy pointer. This results in labels that shouldn't entering into the invalidate label update path. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615878/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615880] Re: The inherit check for new to old label comparison for domain transitions is wrong
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615880 Title: The inherit check for new to old label comparison for domain transitions is wrong Status in AppArmor: New Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: For the purposes of inherit we should be treating a profile/label transition to its replacement as if the replacement is the profile/label. So make the comparison based off of the label proxy, not the label itself. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615880/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615882] Re: dfa is missing a bounds check which can cause an oops
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615882 Title: dfa is missing a bounds check which can cause an oops Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: A custom crafted or corrupted binary profile can cause an oops when loaded due to a missing bounds check To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615882/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1579135] Re: AppArmor profile reloading causes an intermittent kernel BUG
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: AppArmor profile reloading causes an intermittent kernel BUG Status in apparmor package in Ubuntu: Incomplete Status in linux package in Ubuntu: Fix Committed Status in apparmor source package in Xenial: Confirmed Status in linux source package in Xenial: Fix Committed Status in apparmor source package in Yakkety: Incomplete Status in linux source package in Yakkety: Fix Committed Bug description: First, a bit of background: I've built a go binary of the upstream snappy integration tests, and built them into a snap so that we can easily keep them up to date, and call them from other test suites. I'm running through the tests in qemu on a current 16 image (built yesteray), and hitting this most of the time with the homeInterface Suite tests in particular. The networkInterfaceSuite tests also seem to produce a similar problem: sudo snap connect home-consumer:home ubuntu-core:home [/] Connect home-consumer:home to ubuntu-core:home home-consumer.writer /home/ubuntu/snap/snappy-tests/11/writable sudo snap disconnect home-consumer:home ubuntu-core:home [ 519.416354] BUG: unable to handle kernel NULL pointer dereference at 0038 [ 519.417327] IP: [] profile_cmp+0x2f/0x180 [ 519.417978] PGD 1f26a067 PUD 1aa4f067 PMD 0 [ 519.418574] Oops: [#1] SMP [ 519.419032] Modules linked in: kvm_intel joydev kvm ppdev snd_pcm snd_timer irqbypass snd soundcore parport_pc pcspkr input_leds floppy parport evbug psmouse e1000 8250_fintek i2c_piix4 mac_hid pata_acpi serio_raw autofs4 nls_iso8859_1 usb_storage ahci libahci squashfs [ 519.422747] CPU: 0 PID: 1915 Comm: apparmor_parser Tainted: GW 4.4.0-21-generic #37-Ubuntu [ 519.423689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 519.424627] task: 88001d23cb00 ti: 88001b58c000 task.ti: 88001b58c000 [ 519.425385] RIP: 0010:[] [] profile_cmp+0x2f/0x180 [ 519.426242] RSP: 0018:88001b58fcb0 EFLAGS: 00010086 [ 519.426791] RAX: RBX: 88001b1b1400 RCX: 0006 [ 519.427628] RDX: RSI: RDI: 0009 [ 519.428405] RBP: 88001b58fcc0 R08: 000a R09: 0274 [ 519.429127] R10: 88001f236890 R11: 0274 R12: [ 519.429956] R13: 000b R14: R15: 88001abff950 [ 519.430957] FS: 7f0c1609b740() GS:88001fc0() knlGS: [ 519.432256] CS: 0010 DS: ES: CR0: 80050033 [ 519.433030] CR2: 0038 CR3: 1b14b000 CR4: 06f0 [ 519.433868] Stack: [ 519.434204] 000c 88001abff9b0 88001b58fd08 8138a0c3 [ 519.435355] 00011f2b9450 880c 88001abff950 88001b1b1760 [ 519.436480] 88001f236848 88001abff900 88001f236840 88001b58fd98 [ 519.437609] Call Trace: [ 519.438007] [] aa_vec_unique+0x163/0x240 [ 519.438709] [] __aa_labelset_update_subtree+0x687/0x820 [ 519.439537] [] aa_replace_profiles+0x59b/0xb70 [ 519.440268] [] ? __kmalloc+0x22e/0x250 [ 519.440944] [] policy_update+0x9f/0x1f0 [ 519.441617] [] profile_replace+0x13/0x20 [ 519.442299] [] __vfs_write+0x18/0x40 [ 519.443032] [] vfs_write+0xa9/0x1a0 [ 519.443721] [] ? do_sys_open+0x1bf/0x2a0 [ 519.16] [] SyS_write+0x55/0xc0 [ 519.445042] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 519.445802] Code: 00 55 48 85 ff 48 89 e5 41 54 53 49 89 f4 48 89 fb 0f 84 8b 00 00 00 4d 85 e4 0f 84 aa 00 00 00 48 83 7b 38 00 0f 84 c9 00 00 00 <49> 83 7c 24 38 00 0f 84 e8 00 00 00 48 83 7b 08 00 0f 84 07 01 [ 519.451336] RIP [] profile_cmp+0x2f/0x180 [ 519.452088] RSP [ 519.452570] CR2: 0038 [ 519.453032] ---[ end trace 65ff12ee2e7c26af ]--- The details of this test can be found at: https://github.com/ubuntu-core/snappy/tree/master/integration-tests/data/snaps/home-consumer Will follow up with more details To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1579135/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615887 Title: profiles from different namespaces can block other namespaces from being able to load a profile Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: If ns1 has a profile A in it. It can cause loading a profile with the name A into ns2, and if it does succeed can result in compound labels crossing namespaces resulting in mediation not from one ns being applied to another. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615887/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615889] Re: label vec reductions can result in reference labels instead of direct access to labels
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615889 Title: label vec reductions can result in reference labels instead of direct access to labels Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: The label vec cleanup/reduction can result in a reference label which while not causing wrong mediation is effectively a reference leak as the label will populate the label tree, consume memory and not be removed, it will only reduce to a reference of replacement vars. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615895] Re: apparmor module parameters can be changed after the policy is locked
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615895 Title: apparmor module parameters can be changed after the policy is locked Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: the policy_lock parameter is a one way switch that prevents policy from being further modified. Unfortunately some of the module parameters can effectively modify policy by turning off enforcement. split policy_admin_capable into a view check and a full admin check, and update the admin check to test the policy_lock parameter. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615895/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615890 Title: stacking to unconfined in a child namespace confuses mediation Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: when viewing a stack involving unconfined from across a ns boundary the mode is reported as mixed. Eg. lxc-container-default//&:lxdns1://unconfined (mixed) This is because the unconfined profile is in the special unconfined mode. Which will result in a (mixed) mode for any stack with profiles in enforcing or complain mode. This can however lead to confusion as to what mode is being used as mixed is also used for enforcing stacked with complain, and This can also currently messes up mediation of trusted helpers like dbus. Since unconfined doesn't affect the stack just special case it. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615890/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615893] Re: change_hat is logging failures during expected hat probing
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615893 Title: change_hat is logging failures during expected hat probing Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: change_hat using probing to find and transition to the first available hat. Hats missing as part of this probe are expected and should not be logged except in complain mode. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615893/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615892] Re: deleted files outside of the namespace are not being treated as disconnected
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615892 Title: deleted files outside of the namespace are not being treated as disconnected Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: Deleted files outside of the namespace should be treated the same as other disconnected files To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615892/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615895] Re: apparmor module parameters can be changed after the policy is locked
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615895 Title: apparmor module parameters can be changed after the policy is locked Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: the policy_lock parameter is a one way switch that prevents policy from being further modified. Unfortunately some of the module parameters can effectively modify policy by turning off enforcement. split policy_admin_capable into a view check and a full admin check, and update the admin check to test the policy_lock parameter. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615895/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615890] Re: stacking to unconfined in a child namespace confuses mediation
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615890 Title: stacking to unconfined in a child namespace confuses mediation Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: when viewing a stack involving unconfined from across a ns boundary the mode is reported as mixed. Eg. lxc-container-default//&:lxdns1://unconfined (mixed) This is because the unconfined profile is in the special unconfined mode. Which will result in a (mixed) mode for any stack with profiles in enforcing or complain mode. This can however lead to confusion as to what mode is being used as mixed is also used for enforcing stacked with complain, and This can also currently messes up mediation of trusted helpers like dbus. Since unconfined doesn't affect the stack just special case it. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615890/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1609885] Re: exec transitions to profiles with '.' in name don't work
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1609885
Title:
exec transitions to profiles with '.' in name don't work
Status in AppArmor:
New
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Yakkety:
Incomplete
Bug description:
If a child profile has '.' in the name, then the parser fails to compile the
policy:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found
unexpected character: '.'
If put a child profile with '.' in the name in a variable, the parser
compiles the policy but the exec transition fails:
$ sudo apparmor_parser -r /tmp/profile && aa-exec -p test /tmp/test.sh
/tmp/with.dots: 3: /tmp/with.dots: cat: Permission denied
denial is:
apparmor="DENIED" operation="exec" info="profile transition not found"
error=-13 profile="test" name="/bin/cat" pid=18219 comm="with.dots"
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
$ cat /tmp/test.sh
#!/bin/sh
cat /proc/version
$ cat /tmp/profile
#include
@{TARGET_PROFILE}="with.dots"
profile test {
#include
#include
/tmp/test.sh r,
# parser error:
# AppArmor parser error for /tmp/profile in /tmp/profile at line 14: Found
# unexpected character: '.'
/{,usr/}bin/cat cx -> with.dots,
# fail to transition:
# apparmor="DENIED" operation="exec" info="profile transition not found"
# error=-13 profile="test" name="/bin/cat" pid=18105 comm="with.dots"
# requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
#/{,usr/}bin/cat cx -> @{TARGET_PROFILE},
# ok
#/{,usr/}bin/cat cx -> no_dots,
profile with.dots {
#include
@{PROC}/version r,
/{,usr/}bin/cat r,
}
profile no_dots {
#include
@{PROC}/version r,
/{,usr/}bin/cat r,
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1609885/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615889] Re: label vec reductions can result in reference labels instead of direct access to labels
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615889 Title: label vec reductions can result in reference labels instead of direct access to labels Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: The label vec cleanup/reduction can result in a reference label which while not causing wrong mediation is effectively a reference leak as the label will populate the label tree, consume memory and not be removed, it will only reduce to a reference of replacement vars. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615889/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615887] Re: profiles from different namespaces can block other namespaces from being able to load a profile
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615887 Title: profiles from different namespaces can block other namespaces from being able to load a profile Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Incomplete Bug description: If ns1 has a profile A in it. It can cause loading a profile with the name A into ns2, and if it does succeed can result in compound labels crossing namespaces resulting in mediation not from one ns being applied to another. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615887/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615892] Re: deleted files outside of the namespace are not being treated as disconnected
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615892 Title: deleted files outside of the namespace are not being treated as disconnected Status in AppArmor: New Status in linux package in Ubuntu: New Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: New Bug description: Deleted files outside of the namespace should be treated the same as other disconnected files To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615892/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615893] Re: change_hat is logging failures during expected hat probing
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615893 Title: change_hat is logging failures during expected hat probing Status in AppArmor: New Status in linux package in Ubuntu: New Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: New Bug description: change_hat using probing to find and transition to the first available hat. Hats missing as part of this probe are expected and should not be logged except in complain mode. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615893/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615878] Re: __label_update proxy comparison test is wrong
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed ** Changed in: linux (Ubuntu Yakkety) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615878 Title: __label_update proxy comparison test is wrong Status in AppArmor: New Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: The comparing the proxy pointer, not the address of the labels proxy pointer. This results in labels that shouldn't entering into the invalidate label update path. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615878/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615881] Re: The label build for onexec when stacking is wrong
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615881 Title: The label build for onexec when stacking is wrong Status in AppArmor: New Status in linux package in Ubuntu: New Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: New Bug description: The label build for onexec when crossing a namespace boundry is not quite correct. The label needs to be built per profile and not based on the whole label because the onexec transition only applies to profiles within the ns. Where merging against the label could include profile that are transitioned via the profile_transition callback and should not be in the final label. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615881/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615880] Re: The inherit check for new to old label comparison for domain transitions is wrong
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed ** Changed in: linux (Ubuntu Yakkety) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615880 Title: The inherit check for new to old label comparison for domain transitions is wrong Status in AppArmor: New Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: For the purposes of inherit we should be treating a profile/label transition to its replacement as if the replacement is the profile/label. So make the comparison based off of the label proxy, not the label itself. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615880/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1615882] Re: dfa is missing a bounds check which can cause an oops
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1615882 Title: dfa is missing a bounds check which can cause an oops Status in AppArmor: New Status in linux package in Ubuntu: New Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: New Bug description: A custom crafted or corrupted binary profile can cause an oops when loaded due to a missing bounds check To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1615882/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1579135] Re: AppArmor profile reloading causes an intermittent kernel BUG
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Yakkety) Importance: Critical Assignee: John Johansen (jjohansen) Status: Incomplete ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed ** Changed in: linux (Ubuntu Yakkety) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1579135 Title: AppArmor profile reloading causes an intermittent kernel BUG Status in apparmor package in Ubuntu: Incomplete Status in linux package in Ubuntu: Fix Committed Status in apparmor source package in Xenial: New Status in linux source package in Xenial: Fix Committed Status in apparmor source package in Yakkety: Incomplete Status in linux source package in Yakkety: Fix Committed Bug description: First, a bit of background: I've built a go binary of the upstream snappy integration tests, and built them into a snap so that we can easily keep them up to date, and call them from other test suites. I'm running through the tests in qemu on a current 16 image (built yesteray), and hitting this most of the time with the homeInterface Suite tests in particular. The networkInterfaceSuite tests also seem to produce a similar problem: sudo snap connect home-consumer:home ubuntu-core:home [/] Connect home-consumer:home to ubuntu-core:home home-consumer.writer /home/ubuntu/snap/snappy-tests/11/writable sudo snap disconnect home-consumer:home ubuntu-core:home [ 519.416354] BUG: unable to handle kernel NULL pointer dereference at 0038 [ 519.417327] IP: [] profile_cmp+0x2f/0x180 [ 519.417978] PGD 1f26a067 PUD 1aa4f067 PMD 0 [ 519.418574] Oops: [#1] SMP [ 519.419032] Modules linked in: kvm_intel joydev kvm ppdev snd_pcm snd_timer irqbypass snd soundcore parport_pc pcspkr input_leds floppy parport evbug psmouse e1000 8250_fintek i2c_piix4 mac_hid pata_acpi serio_raw autofs4 nls_iso8859_1 usb_storage ahci libahci squashfs [ 519.422747] CPU: 0 PID: 1915 Comm: apparmor_parser Tainted: GW 4.4.0-21-generic #37-Ubuntu [ 519.423689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 519.424627] task: 88001d23cb00 ti: 88001b58c000 task.ti: 88001b58c000 [ 519.425385] RIP: 0010:[] [] profile_cmp+0x2f/0x180 [ 519.426242] RSP: 0018:88001b58fcb0 EFLAGS: 00010086 [ 519.426791] RAX: RBX: 88001b1b1400 RCX: 0006 [ 519.427628] RDX: RSI: RDI: 0009 [ 519.428405] RBP: 88001b58fcc0 R08: 000a R09: 0274 [ 519.429127] R10: 88001f236890 R11: 0274 R12: [ 519.429956] R13: 000b R14: R15: 88001abff950 [ 519.430957] FS: 7f0c1609b740() GS:88001fc0() knlGS: [ 519.432256] CS: 0010 DS: ES: CR0: 80050033 [ 519.433030] CR2: 0038 CR3: 1b14b000 CR4: 06f0 [ 519.433868] Stack: [ 519.434204] 000c 88001abff9b0 88001b58fd08 8138a0c3 [ 519.435355] 00011f2b9450 880c 88001abff950 88001b1b1760 [ 519.436480] 88001f236848 88001abff900 88001f236840 88001b58fd98 [ 519.437609] Call Trace: [ 519.438007] [] aa_vec_unique+0x163/0x240 [ 519.438709] [] __aa_labelset_update_subtree+0x687/0x820 [ 519.439537] [] aa_replace_profiles+0x59b/0xb70 [ 519.440268] [] ? __kmalloc+0x22e/0x250 [ 519.440944] [] policy_update+0x9f/0x1f0 [ 519.441617] [] profile_replace+0x13/0x20 [ 519.442299] [] __vfs_write+0x18/0x40 [ 519.443032] [] vfs_write+0xa9/0x1a0 [ 519.443721] [] ? do_sys_open+0x1bf/0x2a0 [ 519.16] [] SyS_write+0x55/0xc0 [ 519.445042] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 519.445802] Code: 00 55 48 85 ff 48 89 e5 41 54 53 49 89 f4 48 89 fb 0f 84 8b 00 00 00 4d 85 e4 0f 84 aa 00 00 00 48 83 7b 38 00 0f 84 c9 00 00 00 <49> 83 7c 24 38 00 0f 84 e8 00 00 00 48 83 7b 08 00 0f 84 07 01 [ 519.451336] RIP [] profile_cmp+0x2f/0x180 [ 519.452088] RSP [ 519.452570] CR2: 0038 [ 519.453032] ---[ end trace 65ff12ee2e7c26af ]--- The details of this test can be found at: https://github.com/ubuntu-core/snappy/tree/master/integration-tests/data/snaps/home-consumer Will follow up with more details To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu
