desktop-packages team mailing list archive

Thread
Date

[Bug 1199933] Re: apparmor parser in precise does not support block_suspend capability (needed for backported kernels)

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: tedmar <1199933@xxxxxxxxxxxxxxxxxx>
Date: Sat, 03 Jan 2015 20:54:03 -0000
Reply-to: Bug 1199933 <1199933@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

My computer has slow boot times because this error
Tail of dmesg

[   44.672089] input: Bluetooth Laser Travel Mouse as /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.5/2-1.5:1.0/bluetooth/hci0/hci0:35/input12
[   44.672198] hid-generic 0005:046D:B008.0001: input,hidraw0: BLUETOOTH HID v3.13 Mouse [Bluetooth Laser Travel Mouse] on 84:a6:c8:b2:0a:83
[   96.021989] audit_printk_skb: 30 callbacks suppressed
[   96.021992] type=1400 audit(1420316542.197:28): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1370 comm="cupsd" pid=1370 comm="cupsd" capability=36  capname="block_suspend"
[  118.923987] type=1400 audit(1420316565.113:29): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1370 comm="cupsd" pid=1370 comm="cupsd" capability=36  capname="block_suspend"

In my case is not cosmetic.
I need a patch

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1199933

Title:
  apparmor parser in precise does not support block_suspend capability
  (needed for backported kernels)

Status in apparmor package in Ubuntu:
  Fix Released
Status in cups package in Ubuntu:
  Confirmed
Status in apparmor source package in Precise:
  Triaged
Status in apparmor source package in Saucy:
  Fix Released

Bug description:
  When running an up-to-date precise system with a linux-image-generic-lts-raring HWE kernel (linux 3.8), 
  the precise verion of apparmor will deny all attempts of apparmored apps to call the block_suspend system call:

  For example: 
  type=AVC msg=audit(XXXXXXXXXX.XXX:XXXXX): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=1040 comm="cupsd" pid=1040 comm="cupsd" capability=36  capname="block_suspend"

  But it is also impossible to add block_suspend to the apparmor profiles, because the AppArmor parser does not know about it:
    Setting /usr/sbin/cupsd to enforce mode.
    Warning from stdin (line 1): /sbin/apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
    AppArmor parser error, in stdin line 24: Invalid capability block_suspend.

  This seems to make it impossible to have apparmor  not deny block
  suspend when using an LTS HWE kernel.

  This seems to be related to bug #1052098.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: apparmor 2.7.102-0ubuntu3.7
  ProcVersionSignature: Ubuntu 3.8.0-25.37~precise1-generic 3.8.13
  Uname: Linux 3.8.0-25-generic x86_64
  ApportVersion: 2.0.1-0ubuntu17.3
  Architecture: amd64
  Date: Wed Jul 10 12:48:24 2013
  EcryptfsInUse: Yes
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
  KernLog: Jul 10 12:34:08 gumdrop kernel: [580960.424225] SGI XFS with ACLs, security attributes, realtime, large block/inode numbers, no debug enabled
  MarkForUpload: True
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.8.0-25-generic root=UUID=981723af-1da9-455d-b776-3a1e8885efde ro rootflags=subvol=@
  SourcePackage: apparmor
  UpgradeStatus: No upgrade log present (probably fresh install)
  audit.log: Error: [Errno 13] Permission denied: '/var/log/audit/audit.log'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1199933/+subscriptions