Public bug reported:

Description:

Host: Bionic 64 bit with GA kernel (4.15)
Container: Bionic 64 bit

The container runs a binary (/usr/sbin/nsd) locked by an Apparmor
profile. The systemd service is configured with NoNewPrivileges=yes.

  # systemctl show nsd | grep ^NoNew
  NoNewPrivileges=yes

This setup worked fine with 4.15.0-58-generic and before but stopped
working with the 4.15.0-60-generic update. When running the bogus
kernel, starting the nsd service fails and the following is logged in
the host's dmesg:

audit: type=1400 audit(1568387834.381:73): apparmor="DENIED" operation="exec" 
info="no new privs" error=-1 profile="lxd-ns0_</var/snap/lxd/common/lxd>" 
name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" 
fsuid=1065536 ouid=1065536 
target="lxd-ns0_</var/snap/lxd/common/lxd>//&:lxd-ns0_<var-snap-lxd-common-lxd>:/usr/sbin/nsd"
audit: type=1400 audit(1568387834.381:74): apparmor="DENIED" operation="exec" 
info="no new privs" error=-1 
namespace="root//lxd-ns0_<var-snap-lxd-common-lxd>" profile="unconfined" 
name="/usr/sbin/nsd" pid=8568 comm="(nsd)" requested_mask="x" denied_mask="x" 
fsuid=1065536 ouid=1065536 target="/usr/sbin/nsd"

Disabling the Apparmor profile OR setting NoNewPrivileges=no in the
container makes it work again.

I check with a couple of kernels:

4.15.0-52-generic works
4.15.0-58-generic works
4.15.0-60-generic is broken

The 5.0 HWE kernel has always been broken it seems:

5.0.0-15-generic is broken
5.0.0-17-generic is broken
5.0.0-20-generic is broken
5.0.0-23-generic is broken
5.0.0-25-generic is broken
5.0.0-27-generic is broken


I have another similar setup but using Xenial host/container and it broke in a 
similar fashion where 4.4.0-159-generic works but where 4.4.0-161-generic is 
broken.


Additional information:

# lsb_release -rd
Description:    Ubuntu 18.04.3 LTS
Release:        18.04

# apt-cache policy nsd
nsd:
  Installed: 4.1.26-1ubuntu0.18.04.1~ppa2
  Candidate: 4.1.26-1ubuntu0.18.04.1~ppa2
  Version table:
 *** 4.1.26-1ubuntu0.18.04.1~ppa2 500
        500 http://ppa.launchpad.net/sdeziel.info/infra/ubuntu bionic/main 
amd64 Packages
        100 /var/lib/dpkg/status
     4.1.17-1build1 500
        500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

nsd comes from a custom backport this should be irrelevant.
nsd's custom Apparmor profile: https://paste.ubuntu.com/p/BB3ZYzH8WQ/

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-60-generic 4.15.0-60.67
ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21
Uname: Linux 5.0.0-27-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116,  1 Sep 16 18:02 seq
 crw-rw---- 1 root audio 116, 33 Sep 16 18:02 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay'
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', 
'/dev/snd/timer'] failed with exit code 1:
CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not 
found.
Date: Mon Sep 16 18:14:02 2019
InstallationDate: Installed on 2019-08-22 (24 days ago)
InstallationMedia: Ubuntu-Server 18.04.3 LTS "Bionic Beaver" - Release amd64 
(20190805)
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig'
MachineType: Dell Inc. Inspiron 530s
PciMultimedia:

ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
 TERM=xterm-256color
 PATH=(custom, no user)
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.0.0-27-generic 
root=UUID=7c11931f-ee1e-4d07-bc03-d167b9c39ef0 ro apt-setup/restricted=false 
apt-setup/multiverse=false kaslr nmi_watchdog=0 nr_cpus=2 pti=on vsyscall=none
RelatedPackageVersions:
 linux-restricted-modules-5.0.0-27-generic N/A
 linux-backports-modules-5.0.0-27-generic  N/A
 linux-firmware                            1.173.9
RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 02/24/2009
dmi.bios.vendor: Dell Inc.
dmi.bios.version: 1.0.18
dmi.board.name: 0RY007
dmi.board.vendor: Dell Inc.
dmi.chassis.type: 3
dmi.chassis.vendor: Dell Inc.
dmi.chassis.version: OEM
dmi.modalias: 
dmi:bvnDellInc.:bvr1.0.18:bd02/24/2009:svnDellInc.:pnInspiron530s:pvr:rvnDellInc.:rn0RY007:rvr:cvnDellInc.:ct3:cvrOEM:
dmi.product.name: Inspiron 530s
dmi.sys.vendor: Dell Inc.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Confirmed


** Tags: amd64 apport-bug bionic

** Summary changed:

- [regression] NoNewPrivileges breaks Apparmor
+ [regression] NoNewPrivileges incompatible with Apparmor

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1844186

Title:
  [regression] NoNewPrivileges incompatible with Apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1844186/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to