[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
This bug was fixed in the package linux - 5.3.0-24.26 --- linux (5.3.0-24.26) eoan; urgency=medium * eoan/linux: 5.3.0-24.26 -proposed tracker (LP: #1852232) * Eoan update: 5.3.9 upstream stable release (LP: #1851550) - io_uring: fix up O_NONBLOCK handling for sockets - dm snapshot: introduce account_start_copy() and account_end_copy() - dm snapshot: rework COW throttling to fix deadlock - Btrfs: fix inode cache block reserve leak on failure to allocate data space - btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() - iio: adc: meson_saradc: Fix memory allocation order - iio: fix center temperature of bmc150-accel-core - libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature - perf tests: Avoid raising SEGV using an obvious NULL dereference - perf map: Fix overlapped map handling - perf script brstackinsn: Fix recovery from LBR/binary mismatch - perf jevents: Fix period for Intel fixed counters - perf tools: Propagate get_cpuid() error - perf annotate: Propagate perf_env__arch() error - perf annotate: Fix the signedness of failure returns - perf annotate: Propagate the symbol__annotate() error return - perf annotate: Fix arch specific ->init() failure errors - perf annotate: Return appropriate error code for allocation failures - perf annotate: Don't return -1 for error when doing BPF disassembly - staging: rtl8188eu: fix null dereference when kzalloc fails - RDMA/siw: Fix serialization issue in write_space() - RDMA/hfi1: Prevent memory leak in sdma_init - RDMA/iw_cxgb4: fix SRQ access from dump_qp() - RDMA/iwcm: Fix a lock inversion issue - HID: hyperv: Use in-place iterator API in the channel callback - kselftest: exclude failed TARGETS from runlist - selftests/kselftest/runner.sh: Add 45 second timeout per test - nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request - arm64: cpufeature: Effectively expose FRINT capability to userspace - arm64: Fix incorrect irqflag restore for priority masking for compat - arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419 - tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()' - tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()' - serial/sifive: select SERIAL_EARLYCON - tty: n_hdlc: fix build on SPARC - misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach - RDMA/core: Fix an error handling path in 'res_get_common_doit()' - RDMA/cm: Fix memory leak in cm_add/remove_one - RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error path - RDMA/mlx5: Do not allow rereg of a ODP MR - RDMA/mlx5: Order num_pending_prefetch properly with synchronize_srcu - RDMA/mlx5: Add missing synchronize_srcu() for MW cases - gpio: max77620: Use correct unit for debounce times - fs: cifs: mute -Wunused-const-variable message - arm64: vdso32: Fix broken compat vDSO build warnings - arm64: vdso32: Detect binutils support for dmb ishld - serial: mctrl_gpio: Check for NULL pointer - serial: 8250_omap: Fix gpio check for auto RTS/CTS - arm64: Default to building compat vDSO with clang when CONFIG_CC_IS_CLANG - arm64: vdso32: Don't use KBUILD_CPPFLAGS unconditionally - efi/cper: Fix endianness of PCIe class code - efi/x86: Do not clean dummy variable in kexec path - MIPS: include: Mark __cmpxchg as __always_inline - riscv: avoid kernel hangs when trapped in BUG() - riscv: avoid sending a SIGTRAP to a user thread trapped in WARN() - riscv: Correct the handling of unexpected ebreak in do_trap_break() - x86/xen: Return from panic notifier - ocfs2: clear zero in unaligned direct IO - fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry() - fs: ocfs2: fix a possible null-pointer dereference in ocfs2_write_end_nolock() - fs: ocfs2: fix a possible null-pointer dereference in ocfs2_info_scan_inode_alloc() - btrfs: silence maybe-uninitialized warning in clone_range - arm64: armv8_deprecated: Checking return value for memory allocation - sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision - sched/vtime: Fix guest/system mis-accounting on task switch - perf/core: Rework memory accounting in perf_mmap() - perf/core: Fix corner case in perf_rotate_context() - perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp - drm/amdgpu: fix memory leak - iio: imu: adis16400: release allocated memory on failure - iio: imu: adis16400: fix memory leak - iio: imu: st_lsm6dsx: fix waitime for st_lsm6dsx i2c controller - MIPS: include: Mark __xchg as __always_inline - MIPS: fw: sni: Fix out of bounds init of o32 stack - s390/cio: fix virtio-ccw DMA without PV - virt: vbox: fix memory
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
Based on a suggestion from sarnold in #ubuntu-kernel, I re-ran the tests of the 4.15, 5.0 and 5.3 kernels in combination with a snap (lxd's snap specifically) and found no problem. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Confirmed Status in linux source package in Bionic: Confirmed Status in linux source package in Disco: Fix Released Status in linux source package in Eoan: Fix Released Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name:
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
I don't see the patch queued up in Xenial/Bionic for the 4.4.0-170.199 and 4.15.0-72.81 kernels. If I can do anything to help those land (like test more versions), please let me know. Thank you! Simon -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Confirmed Status in linux source package in Bionic: Confirmed Status in linux source package in Disco: Fix Released Status in linux source package in Eoan: Fix Released Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
This bug was fixed in the package linux - 5.0.0-35.38 --- linux (5.0.0-35.38) disco; urgency=medium * [REGRESSION] md/raid0: cannot assemble multi-zone RAID0 with default_layout setting (LP: #1849682) - SAUCE: Fix revert "md/raid0: avoid RAID0 data corruption due to layout confusion." * refcount underflow and type confusion in shiftfs (LP: #1850867) // CVE-2019-15793 - SAUCE: shiftfs: Correct id translation for lower fs operations - SAUCE: shiftfs: prevent type confusion - SAUCE: shiftfs: Fix refcount underflow in btrfs ioctl handling * CVE-2018-12207 - kvm: Convert kvm_lock to a mutex - kvm: x86: Do not release the page inside mmu_set_spte() - KVM: x86: make FNAME(fetch) and __direct_map more similar - KVM: x86: remove now unneeded hugepage gfn adjustment - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON - KVM: x86: add tracepoints around __direct_map and FNAME(fetch) - kvm: x86, powerpc: do not allow clearing largepages debugfs entry - SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active - SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure - SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation - SAUCE: kvm: Add helper function for creating VM worker threads - SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages - SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers - SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT * CVE-2019-11135 - KVM: x86: use Intel speculation bugs and features as derived in generic x86 code - x86/msr: Add the IA32_TSX_CTRL MSR - x86/cpu: Add a helper function x86_read_arch_cap_msr() - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default - x86/speculation/taa: Add mitigation for TSX Async Abort - x86/speculation/taa: Add sysfs reporting for TSX Async Abort - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled - x86/tsx: Add "auto" option to the tsx= cmdline parameter - x86/speculation/taa: Add documentation for TSX Async Abort - x86/tsx: Add config options to set tsx=on|off|auto - SAUCE: x86/speculation/taa: Call tsx_init() - [Config] Disable TSX by default when possible * CVE-2019-0154 - SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA * CVE-2019-0155 - SAUCE: drm/i915: Rename gen7 cmdparser tables - SAUCE: drm/i915: Disable Secure Batches for gen6+ - SAUCE: drm/i915: Remove Master tables from cmdparser - SAUCE: drm/i915: Add support for mandatory cmdparsing - SAUCE: drm/i915: Support ro ppgtt mapped cmdparser shadow buffers - SAUCE: drm/i915: Allow parsing of unsized batches - SAUCE: drm/i915: Add gen9 BCS cmdparsing - SAUCE: drm/i915/cmdparser: Use explicit goto for error paths - SAUCE: drm/i915/cmdparser: Add support for backward jumps - SAUCE: drm/i915/cmdparser: Ignore Length operands during command matching linux (5.0.0-34.36) disco; urgency=medium * disco/linux: -proposed tracker (LP: #1850574) * [REGRESSION] md/raid0: cannot assemble multi-zone RAID0 with default_layout setting (LP: #1849682) - Revert "md/raid0: avoid RAID0 data corruption due to layout confusion." linux (5.0.0-33.35) disco; urgency=medium * disco/linux: 5.0.0-33.35 -proposed tracker (LP: #1849003) * Disco update: upstream stable patchset 2019-10-18 (LP: #1848817) - tpm: use tpm_try_get_ops() in tpm-sysfs.c. - drm/bridge: tc358767: Increase AUX transfer length limit - drm/panel: simple: fix AUO g185han01 horizontal blanking - video: ssd1307fb: Start page range at page_offset - drm/stm: attach gem fence to atomic state - drm/panel: check failure cases in the probe func - drm/rockchip: Check for fast link training before enabling psr - drm/radeon: Fix EEH during kexec - gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() - PCI: rpaphp: Avoid a sometimes-uninitialized warning - ipmi_si: Only schedule continuously in the thread in maintenance mode - clk: qoriq: Fix -Wunused-const-variable - clk: sunxi-ng: v3s: add missing clock slices for MMC2 module clocks - drm/amd/display: fix issue where 252-255 values are clipped - drm/amd/display: reprogram VM config when system resume - powerpc/powernv/ioda2: Allocate TCE table levels on demand for default DMA window - clk: actions: Don't reference clk_init_data after registration - clk: sirf: Don't reference clk_init_data after registration - clk: sprd: Don't reference clk_init_data after registration - clk: zx296718: Don't reference clk_init_data after registration - powerpc/xmon: Check for HV mode when dumping XIVE info from OPAL - powerpc/rtas: use device model APIs and serialization during LPM - powerpc/futex: Fix warning: 'oldval' may be used
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
This bug was fixed in the package linux - 5.3.0-22.24 --- linux (5.3.0-22.24) eoan; urgency=medium * [REGRESSION] md/raid0: cannot assemble multi-zone RAID0 with default_layout setting (LP: #1849682) - Revert "md/raid0: avoid RAID0 data corruption due to layout confusion." * refcount underflow and type confusion in shiftfs (LP: #1850867) // CVE-2019-15793 - SAUCE: shiftfs: Correct id translation for lower fs operations - SAUCE: shiftfs: prevent type confusion - SAUCE: shiftfs: Fix refcount underflow in btrfs ioctl handling * CVE-2018-12207 - kvm: x86, powerpc: do not allow clearing largepages debugfs entry - SAUCE: KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active - SAUCE: x86: Add ITLB_MULTIHIT bug infrastructure - SAUCE: kvm: mmu: ITLB_MULTIHIT mitigation - SAUCE: kvm: Add helper function for creating VM worker threads - SAUCE: kvm: x86: mmu: Recovery of shattered NX large pages - SAUCE: cpu/speculation: Uninline and export CPU mitigations helpers - SAUCE: kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT * CVE-2019-11135 - x86/msr: Add the IA32_TSX_CTRL MSR - x86/cpu: Add a helper function x86_read_arch_cap_msr() - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default - x86/speculation/taa: Add mitigation for TSX Async Abort - x86/speculation/taa: Add sysfs reporting for TSX Async Abort - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled - x86/tsx: Add "auto" option to the tsx= cmdline parameter - x86/speculation/taa: Add documentation for TSX Async Abort - x86/tsx: Add config options to set tsx=on|off|auto - [Config] Disable TSX by default when possible * CVE-2019-0154 - SAUCE: drm/i915: Lower RM timeout to avoid DSI hard hangs - SAUCE: drm/i915/gen8+: Add RC6 CTX corruption WA * CVE-2019-0155 - SAUCE: drm/i915: Rename gen7 cmdparser tables - SAUCE: drm/i915: Disable Secure Batches for gen6+ - SAUCE: drm/i915: Remove Master tables from cmdparser - SAUCE: drm/i915: Add support for mandatory cmdparsing - SAUCE: drm/i915: Support ro ppgtt mapped cmdparser shadow buffers - SAUCE: drm/i915: Allow parsing of unsized batches - SAUCE: drm/i915: Add gen9 BCS cmdparsing - SAUCE: drm/i915/cmdparser: Use explicit goto for error paths - SAUCE: drm/i915/cmdparser: Add support for backward jumps - SAUCE: drm/i915/cmdparser: Ignore Length operands during command matching linux (5.3.0-21.22) eoan; urgency=medium * eoan/linux: 5.3.0-21.22 -proposed tracker (LP: #1850486) * Fix signing of staging modules in eoan (LP: #1850234) - [Packaging] Leave unsigned modules unsigned after adding .gnu_debuglink linux (5.3.0-20.21) eoan; urgency=medium * eoan/linux: 5.3.0-20.21 -proposed tracker (LP: #1849064) * eoan: alsa/sof: Enable SOF_HDA link and codec (LP: #1848490) - [Config] Enable SOF_HDA link and codec * Eoan update: 5.3.7 upstream stable release (LP: #1848750) - panic: ensure preemption is disabled during panic() - [Config] updateconfigs for USB_RIO500 - USB: rio500: Remove Rio 500 kernel driver - USB: yurex: Don't retry on unexpected errors - USB: yurex: fix NULL-derefs on disconnect - USB: usb-skeleton: fix runtime PM after driver unbind - USB: usb-skeleton: fix NULL-deref on disconnect - xhci: Fix false warning message about wrong bounce buffer write length - xhci: Prevent device initiated U1/U2 link pm if exit latency is too long - xhci: Check all endpoints for LPM timeout - xhci: Fix USB 3.1 capability detection on early xHCI 1.1 spec based hosts - usb: xhci: wait for CNR controller not ready bit in xhci resume - xhci: Prevent deadlock when xhci adapter breaks during init - xhci: Fix NULL pointer dereference in xhci_clear_tt_buffer_complete() - USB: adutux: fix use-after-free on disconnect - USB: adutux: fix NULL-derefs on disconnect - USB: adutux: fix use-after-free on release - USB: iowarrior: fix use-after-free on disconnect - USB: iowarrior: fix use-after-free on release - USB: iowarrior: fix use-after-free after driver unbind - USB: usblp: fix runtime PM after driver unbind - USB: chaoskey: fix use-after-free on release - USB: ldusb: fix NULL-derefs on driver unbind - serial: uartlite: fix exit path null pointer - serial: uartps: Fix uartps_major handling - USB: serial: keyspan: fix NULL-derefs on open() and write() - USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 - USB: serial: option: add Telit FN980 compositions - USB: serial: option: add support for Cinterion CLS8 devices - USB: serial: fix runtime PM after driver unbind - USB: usblcd: fix I/O after disconnect - USB: microtek: fix info-leak at probe - USB: dummy-hcd: fix power budget for SuperSpeed mode - usb: renesas_usbhs: gadget: Do not discard queues
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
@jjohansen, I see that you've included the fix in most of the kernels currently in -proposed, thanks for that! Although, I'm not seeing those for 4.4 and 4.15 and I'd like to make sure they don't fall through the cracks ;) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Confirmed Status in linux source package in Bionic: Confirmed Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Committed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc.
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
I pulled the various .deb packages from https://launchpad.net /~canonical-kernel-team/+archive/ubuntu/ppa/+build/17953251/+files/ and installed them on my Bionic host. $ uname -a Linux c2d.mgmt.sdeziel.info 5.3.0-20-generic #21-Ubuntu SMP Wed Oct 23 16:20:37 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux With that kernel it works so marking as verified for Eoan. ** Tags removed: verification-needed-eoan ** Tags added: verification-done-eoan -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Confirmed Status in linux source package in Bionic: Confirmed Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Committed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-eoan -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Confirmed Status in linux source package in Bionic: Confirmed Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Committed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
I pulled the various .deb packages from https://launchpad.net /~canonical-kernel-team/+archive/ubuntu/ppa/+build/17945283 and installed them on my Bionic host. $ uname -a Linux c2d.mgmt.sdeziel.info 5.0.0-33-generic #35-Ubuntu SMP Tue Oct 22 01:48:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux With that kernel it works so marking as verified for Disco. ** Tags removed: verification-needed-disco ** Tags added: verification-done-disco -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Confirmed Status in linux source package in Bionic: Confirmed Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Committed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill:
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-disco -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Confirmed Status in linux source package in Bionic: Confirmed Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Committed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
** Changed in: linux (Ubuntu Disco) Status: Confirmed => Fix Committed ** Changed in: linux (Ubuntu Eoan) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Confirmed Status in linux source package in Bionic: Confirmed Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Committed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor:
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Eoan) Importance: Undecided Status: Confirmed ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Disco) Status: New => Confirmed ** Changed in: linux (Ubuntu Bionic) Status: New => Confirmed ** Changed in: linux (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Status in linux source package in Xenial: Confirmed Status in linux source package in Bionic: Confirmed Status in linux source package in Disco: Confirmed Status in linux source package in Eoan: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
sorry it appears I added the comments about the v2 patch to the wrong bug thanks for testing. I will get the request sent out to the kt. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM:
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
I found your 5.0.0-29 *v2* kernel and gave it a try and I'm happy to report that you've fixed the problem! Bionic/5.0 v2: $ uname -a Linux c2d.mgmt.sdeziel.info 5.0.0-29-generic #31+v2lp1844186 SMP Wed Oct 2 18:47:25 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux *result*: works -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
Bionic/5.0: $ uname -a Linux c2d.mgmt.sdeziel.info 5.0.0-29-generic #31+lp1844186 SMP Sat Sep 28 18:11:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux *result*: doesn't work Same behavior as with the official/unpatched 5.0.0-29 (and 5.0.0-30) kernel, either NNP or Apparmor needs to be disabled otherwise: audit: type=1400 audit(1569799739.869:70): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_ " profile="unconfined" name="/usr/sbin/nsd" pid=2754 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill'
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
updated to the 5.0.0-29 kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name: Inspiron 530s dmi.sys.vendor: Dell Inc. To manage notifications about this bug go to:
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
ha, its by mistake. I fetched the new kernel but missed doing the rebase. I'll get a new 5.0 up asap -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name: Inspiron 530s dmi.sys.vendor:
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
I was surprised to get such an old 5.0 (5.0.0-8 was released in Mar 2019) kernel while all the others were very current. I'm sure you have you reasons but I'd want to be sure it was not a simple mistake :) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias:
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
okay, thanks for testing. I'll submit the patch for 4.4 and 4.15 kernels and look into why the 5.0 kernel is blocking policy loads -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name:
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
Tests results on Xenial: Xenial/4.4: # uname -a | sed 's/lxd01\.[^ ]\+/lxd01/' Linux lxd01 4.4.0-164-generic #192+lp1844186 SMP Thu Sep 26 15:17:42 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux *result*: works Xenial/4.15: # uname -a | sed 's/lxd01\.[^ ]\+/lxd01/' Linux lxd01 4.15.0-64-generic #73+lp1844186 SMP Thu Sep 26 15:17:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux *result*: works -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
Tests results on Bionic: Bionic/4.15: $ uname -a Linux c2d.mgmt.sdeziel.info 4.15.0-64-generic #73+lp1844186 SMP Thu Sep 26 15:17:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux *result*: works! Bionic/5.0: $ uname -a Linux c2d.mgmt.sdeziel.info 5.0.0-8-generic #9+lp1844186 SMP Thu Sep 26 15:03:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux *result*: doesn't work/couldn't test properly. That kernel doesn't let me load an Apparmor policy in the container: root@ns0:~# aa-status apparmor module is loaded. You do not have enough privilege to read the profile set. Maybe it's just too old or the kernel isn't compatible with the Apparmor version from Bionic? The binary/service starts fine with NoNewPrivileges=yes but there is no Apparmor policy loaded in the container, only in the host. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions:
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
There are some test kernels at https://people.canonical.com/~jj/lp1844186/ -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name: Inspiron 530s dmi.sys.vendor: Dell Inc. To manage
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
Thanks for working on this. I'll be happy to test whatever you come up with on Xenial/Bionic (4.4, 4.15 and 5.0 kernels) machines. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name:
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
I am testing a fix for this that won't require reverting the patch. I will put up a test kernel if it passes. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name: Inspiron 530s
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
In the above regression we have lxd-ns0_//&:root//lxd-ns0_://unconfined transitioning to lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd//&:root//lxd-ns0_:///usr/sbin/nsd this is not a strict subset of profiles, however the unconfined exception needs to be taken into account when nnp is set. There is a bug in the subset test, so that the unconfined exception is not being handled correctly. This affects all kernels, though to different degrees. kernels before the patch for bug 1839037 have this bug, but because of where the unconfined exception is tested (at the profile transition) it happens to work in this case. Other cases can be contrived where the transition will fail. Reverting the patch in bug 1839037 will fix the regression for this particular case. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
I should add that bug 1839037 is a bug in the subset test introduced in kernel 4.13 (and earlier Ubuntu 4.4 Xenial kernels). Some subsets will properly transition some won't it all depends on what is in the stack being transitioned. The patch fixes it so the all transitions combinations pass correctly. The patch actual allows more transitions under nnp than when it is not applied. The bug does not exist in the 4.17 or later kernel version. The 5.0 HWE kernel never had the bug addressed in bug 1839037, and did not receive the patch. The DENY messages above indicate that this is a case of a cross policy namespace check, I am investigating if cross namespace checks are broken. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
The LSMs respecting the nnp flag was actually mandated by Linus. So yes it breaks apparmor. Kernel 3.5: Tasks that have nnp block apparmor policy transitions except for unconfined, as transitions in that case always result in reduced permissions. Kernel 4.13: Loosened these restrictions around stacking. That is a transition adding a new element to a stack was allowed as that is guarenteed to always reduce permissions. Ubuntu had this in Xenial (4.4) kernels. Kernel 4.17: AppArmor began tracking under what label nnp was set and using that for profile transition tests. This improved the 4.13 stacking test making containers capable of transitioning policy in the container as long as the host policy wasn't transitioned. To do more apparmor has to be able to override nnp. Selinux has managed to add an nnp override permission and get it upstream, we are looking to do the same with apparmor but I have no time line as to when it will land. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
Yes, that's also what I suspected. I haven't been able to catch John Johansen on IRC to discuss with him about it. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name: Inspiron 530s
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
Apparently this seems to be introduced by bug 1839037, which is related to nnp and the only mention to it in the changelog of linux 4.15.0-60.67 [1] if read right. [1] https://launchpad.net/ubuntu/+source/linux/4.15.0-60.67 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1844186 Title: [regression] NoNewPrivileges incompatible with Apparmor Status in linux package in Ubuntu: Confirmed Bug description: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias:
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
** Description changed: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. # systemctl show nsd | grep ^NoNew NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken - - I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but where 4.4.0-161-generic is broken. - + I have another similar setup but using Xenial host/container and it + broke in a similar fashion where 4.4.0-159-generic works but + 4.4.0-161-generic is broken. Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 Version table: *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status 4.1.17-1build1 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Sep 16 18:02 seq crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: ProcEnviron: LANG=en_US.UTF-8 SHELL=/bin/bash TERM=xterm-256color PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: linux-restricted-modules-5.0.0-27-generic N/A linux-backports-modules-5.0.0-27-generic N/A linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/24/2009 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.0.18 dmi.board.name: 0RY007 dmi.board.vendor: Dell Inc. dmi.chassis.type: 3 dmi.chassis.vendor: Dell Inc. dmi.chassis.version: OEM dmi.modalias: dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM: dmi.product.name: Inspiron 530s dmi.sys.vendor: Dell Inc. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu.
[Kernel-packages] [Bug 1844186] Re: [regression] NoNewPrivileges incompatible with Apparmor
** Description changed: Description: Host: Bionic 64 bit with GA kernel (4.15) Container: Bionic 64 bit The container runs a binary (/usr/sbin/nsd) locked by an Apparmor profile. The systemd service is configured with NoNewPrivileges=yes. - # systemctl show nsd | grep ^NoNew - NoNewPrivileges=yes + # systemctl show nsd | grep ^NoNew + NoNewPrivileges=yes This setup worked fine with 4.15.0-58-generic and before but stopped working with the 4.15.0-60-generic update. When running the bogus kernel, starting the nsd service fails and the following is logged in the host's dmesg: audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxd-ns0_" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="lxd-ns0_//&:lxd-ns0_:/usr/sbin/nsd" audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxd-ns0_" profile="unconfined" name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd" Disabling the Apparmor profile OR setting NoNewPrivileges=no in the container makes it work again. I check with a couple of kernels: 4.15.0-52-generic works 4.15.0-58-generic works 4.15.0-60-generic is broken The 5.0 HWE kernel has always been broken it seems: 5.0.0-15-generic is broken 5.0.0-17-generic is broken 5.0.0-20-generic is broken 5.0.0-23-generic is broken 5.0.0-25-generic is broken 5.0.0-27-generic is broken + I have another similar setup but using Xenial host/container and it broke in a similar fashion where 4.4.0-159-generic works but where 4.4.0-161-generic is broken. + + Additional information: # lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 # apt-cache policy nsd nsd: - Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 - Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 - Version table: - *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 - 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages - 100 /var/lib/dpkg/status - 4.1.17-1build1 500 - 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages + Installed: 4.1.26-1ubuntu0.18.04.1~ppa2 + Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2 + Version table: + *** 4.1.26-1ubuntu0.18.04.1~ppa2 500 + 500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main amd64 Packages + 100 /var/lib/dpkg/status + 4.1.17-1build1 500 + 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages nsd comes from a custom backport this should be irrelevant. nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/ ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-60-generic 4.15.0-60.67 ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21 Uname: Linux 5.0.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair AlsaDevices: - total 0 - crw-rw 1 root audio 116, 1 Sep 16 18:02 seq - crw-rw 1 root audio 116, 33 Sep 16 18:02 timer + total 0 + crw-rw 1 root audio 116, 1 Sep 16 18:02 seq + crw-rw 1 root audio 116, 33 Sep 16 18:02 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Mon Sep 16 18:14:02 2019 InstallationDate: Installed on 2019-08-22 (24 days ago) InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' MachineType: Dell Inc. Inspiron 530s PciMultimedia: - + ProcEnviron: - LANG=en_US.UTF-8 - SHELL=/bin/bash - TERM=xterm-256color - PATH=(custom, no user) + LANG=en_US.UTF-8 + SHELL=/bin/bash + TERM=xterm-256color + PATH=(custom, no user) ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none RelatedPackageVersions: - linux-restricted-modules-5.0.0-27-generic N/A - linux-backports-modules-5.0.0-27-generic N/A - linux-firmware1.173.9 + linux-restricted-modules-5.0.0-27-generic N/A + linux-backports-modules-5.0.0-27-generic N/A + linux-firmware1.173.9 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux
