This bug is missing log files that will aid in diagnosing the problem. >From a terminal window please run:
apport-collect 1648903 and then change the status of the bug to 'Confirmed'. If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'. This change has been made by an automated script, maintained by the Ubuntu Kernel Team. ** Changed in: linux (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1648903 Title: Permission denied and inconsistent behavior in complain mode with 'ip netns list' command Status in AppArmor: New Status in linux package in Ubuntu: Incomplete Status in linux source package in Xenial: Fix Committed Status in linux source package in Yakkety: Fix Committed Bug description: On 16.04 with Ubuntu 4.4.0-53.74-generic 4.4.30 With this profile: #include <tunables/global> profile test (attach_disconnected,complain) { #include <abstractions/base> /{,usr/}{,s}bin/ip ixr, # COMMENT OUT THIS RULE TO SEE WEIRDNESS capability sys_admin, capability net_admin, capability sys_ptrace, network netlink raw, ptrace (trace), / r, /run/netns/ rw, /run/netns/* rw, mount options=(rw, rshared) -> /run/netns/, mount options=(rw, bind) /run/netns/ -> /run/netns/, mount options=(rw, bind) / -> /run/netns/*, mount options=(rw, rslave) /, mount options=(rw, rslave), # LP: #1648245 umount /sys/, umount /, /bin/dash ixr, } Everything is fine when I do: $ sudo apparmor_parser -r /home/jamie/apparmor.profile && sudo aa-exec -p test -- sh -c 'ip netns list' $ and there are no ALLOWED entries in syslog. However, if I comment out the '/{,usr/}{,s}bin/ip ixr,' rule, I get a permission denied and a bunch of ALLOWED entries: $ sudo apparmor_parser -r /home/jamie/apparmor.profile && sudo aa-exec -p test -- sh -c 'ip netns list' open("/proc/self/ns/net"): Permission denied Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.862629] audit: type=1400 audit(1481324889.782:469): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="test" pid=4314 comm="apparmor_parser" Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870339] audit: type=1400 audit(1481324889.790:470): apparmor="ALLOWED" operation="exec" profile="test" name="/bin/ip" pid=4317 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="test//null-/bin/ip" Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870559] audit: type=1400 audit(1481324889.790:471): apparmor="ALLOWED" operation="open" profile="test//null-/bin/ip" name="/etc/ld.so.cache" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870628] audit: type=1400 audit(1481324889.790:472): apparmor="ALLOWED" operation="open" profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/libdl-2.23.so" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870703] audit: type=1400 audit(1481324889.790:473): apparmor="ALLOWED" operation="open" profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870861] audit: type=1400 audit(1481324889.790:474): apparmor="ALLOWED" operation="file_mprotect" profile="test//null-/bin/ip" name="/bin/ip" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.870913] audit: type=1400 audit(1481324889.790:475): apparmor="ALLOWED" operation="file_mprotect" profile="test//null-/bin/ip" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871019] audit: type=1400 audit(1481324889.790:476): apparmor="ALLOWED" operation="create" profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create" Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871066] audit: type=1400 audit(1481324889.790:477): apparmor="ALLOWED" operation="setsockopt" profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" sock_type="raw" protocol=0 requested_mask="setopt" denied_mask="setopt" Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871099] audit: type=1400 audit(1481324889.790:478): apparmor="ALLOWED" operation="setsockopt" profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" sock_type="raw" protocol=0 requested_mask="setopt" denied_mask="setopt" Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871128] audit: type=1400 audit(1481324889.790:479): apparmor="ALLOWED" operation="bind" profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" sock_type="raw" protocol=0 requested_mask="bind" denied_mask="bind" Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871672] audit: type=1400 audit(1481324889.794:480): apparmor="ALLOWED" operation="getsockname" profile="test//null-/bin/ip" pid=4317 comm="ip" family="netlink" sock_type="raw" protocol=0 requested_mask="getattr" denied_mask="getattr" Dec 9 17:08:09 sec-xenial-amd64 kernel: [ 3117.871770] audit: type=1400 audit(1481324889.794:481): apparmor="ALLOWED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="test//null-/bin/ip" name="" pid=4317 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1648903/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp