edubuntu-bugs team mailing list archive

[Simon Chopin <2046844@xxxxxxxxxxxxxxxxxx>]

We had a mitigation for this in glibc but the latest change from simply
denying the unshare() call to allowing it but then denying anything
requiring capabilities *presumably* broke the glibc test suite again.
I'm only basing this from looking at the test logs, as I'm temporarily
unable to run autopkgtests locally and am lacking the time to fix it.

2 classes of errors:

2770s FAIL: stdlib/tst-system
2770s original exit status 1
2770s error: test-container.c:1136: could not create a private mount namespace

That one is clearly userns-related, as it's due to a failing mount()
call right after unshare()

2770s FAIL: sunrpc/tst-svc_register
2770s original exit status 1
2770s error: xwrite.c:32: write of 12 bytes failed after 0: Operation not permitted
2770s error: 1 test failures

I can't tell for sure what this one is about since this is your basic
write() call and I don't have a stack trace at hand, but the EPERM would
suggest that it's related.

I think a first fix would be to amend the test script to disable the
userns restriction entirely for the duration of the tests (using 'needs-
sudo'), while I'll still need to patch the test suite eventually to
handle this new failure mode gracefully and simply ignore the tests,
akin to https://sourceware.org/pipermail/libc-
alpha/2024-February/154754.html

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046844

Title:
  AppArmor user namespace creation restrictions cause many applications
  to crash with SIGTRAP

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akonadiconsole/+bug/2046844/+subscriptions