← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1838627] [NEW] AppArmor onexec transition causes WARN kernel stack trace

 

Public bug reported:

microk8s has reported on issue with the Xenial kernel where apparmor
causes the following kernel stack trace due to an apparmor AA_BUG
condition being triggered.


[  225.236085] ------------[ cut here ]------------
[  225.236104] WARNING: CPU: 1 PID: 13726 at /build/linux-aUWTNP/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180()
[  225.236109] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): 
[  225.236113] Modules linked in:
[  225.236118]  btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs veth xt_nat xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs libcrc32c ctr ccm ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 br_netfilter bridge stp llc pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) bnep aufs overlay binfmt_misc drbg ansi_cprng dm_crypt snd_hda_codec_hdmi arc4 eeepc_wmi asus_wmi sparse_keymap nvidia_uvm(POE) mxm_wmi joydev input_leds btusb btrtl btbcm btintel bluetooth snd_usb_audio snd_usbmidi_lib snd_hda_intel snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hda_core intel_powerclamp snd_hwdep coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_ens1371 snd_ac97_codec gameport ac97_bus
[  225.236305]  snd_seq_midi aesni_intel snd_pcm snd_seq_midi_event aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd snd_rawmidi snd_seq iwlmvm snd_seq_device serio_raw snd_timer mac80211 snd soundcore iwlwifi cfg80211 mei_me mei shpchp 8250_fintek wmi acpi_pad mac_hid ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 xt_hl ip6t_rt nf_conntrack_ipv6 nf_defrag_ipv6 ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_recent xt_limit xt_tcpudp xt_addrtype nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack ip6table_filter ip6_tables nf_conntrack_netbios_ns nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack parport_pc iptable_filter ip_tables ppdev x_tables lp parport autofs4 hid_generic usbhid hid nvidia_drm(POE) nvidia_modeset(POE) nvidia(POE) i915_bpo psmouse e1000e intel_ips ptp i2c_algo_bit
[  225.236420]  pps_core drm_kms_helper nvme syscopyarea sysfillrect sysimgblt fb_sys_fops ahci drm libahci video fjes
[  225.236446] CPU: 1 PID: 13726 Comm: runc:[2:INIT] Tainted: P        W  OE   4.4.0-154-generic #181-Ubuntu
[  225.236451] Hardware name: System manufacturer System Product Name/PRIME H270-PRO, BIOS 0323 01/04/2017
[  225.236456]  0000000000000286 fa217f3573a84520 ffff88033ade39d0 ffffffff8140b481
[  225.236464]  ffff88033ade3a18 ffffffff81d03018 ffff88033ade3a08 ffffffff81085432
[  225.236477]  ffff88035cb2f000 ffff88033ade3b6c ffff88033bcb8b88 ffff88033ade3d88
[  225.236484] Call Trace:
[  225.236498]  [<ffffffff8140b481>] dump_stack+0x63/0x82
[  225.236509]  [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0
[  225.236518]  [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80
[  225.236527]  [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0
[  225.236536]  [<ffffffff813a696e>] aa_audit_file+0x16e/0x180
[  225.236544]  [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0
[  225.236554]  [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0
[  225.236562]  [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100
[  225.236571]  [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220
[  225.236581]  [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70
[  225.236589]  [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60
[  225.236596]  [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0
[  225.236608]  [<ffffffffc1439712>] ? ovl_getxattr+0x52/0xb0 [overlay]
[  225.236617]  [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180
[  225.236624]  [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0
[  225.236633]  [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50
[  225.236642]  [<ffffffff812229d5>] prepare_binprm+0x85/0x190
[  225.236651]  [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770
[  225.236661]  [<ffffffff8122460a>] SyS_execve+0x3a/0x50
[  225.236671]  [<ffffffff81863f15>] stub_execve+0x5/0x5
[  225.236678]  [<ffffffff81863b9b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
[  225.236684] ---[ end trace 6b2beaa85ae31c29 ]---


This is caused when the change_onexec api is used and permitted by the profile but the task has the NO_NEW_PRIVS flag set causing the domain transition specified in the change_onexec request to fail.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Incomplete

** Affects: linux (Ubuntu Xenial)
     Importance: Undecided
     Assignee: John Johansen (jjohansen)
         Status: Confirmed


** Tags: xenial

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu Xenial)
     Assignee: (unassigned) => John Johansen (jjohansen)

** Changed in: linux (Ubuntu Xenial)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1838627

Title:
  AppArmor onexec transition causes WARN kernel stack trace

Status in linux package in Ubuntu:
  Incomplete
Status in linux source package in Xenial:
  Confirmed

Bug description:
  microk8s has reported on issue with the Xenial kernel where apparmor
  causes the following kernel stack trace due to an apparmor AA_BUG
  condition being triggered.

  
  [  225.236085] ------------[ cut here ]------------
  [  225.236104] WARNING: CPU: 1 PID: 13726 at /build/linux-aUWTNP/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180()
  [  225.236109] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)): 
  [  225.236113] Modules linked in:
  [  225.236118]  btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs veth xt_nat xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs libcrc32c ctr ccm ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 br_netfilter bridge stp llc pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) bnep aufs overlay binfmt_misc drbg ansi_cprng dm_crypt snd_hda_codec_hdmi arc4 eeepc_wmi asus_wmi sparse_keymap nvidia_uvm(POE) mxm_wmi joydev input_leds btusb btrtl btbcm btintel bluetooth snd_usb_audio snd_usbmidi_lib snd_hda_intel snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hda_core intel_powerclamp snd_hwdep coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_ens1371 snd_ac97_codec gameport ac97_bus
  [  225.236305]  snd_seq_midi aesni_intel snd_pcm snd_seq_midi_event aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd snd_rawmidi snd_seq iwlmvm snd_seq_device serio_raw snd_timer mac80211 snd soundcore iwlwifi cfg80211 mei_me mei shpchp 8250_fintek wmi acpi_pad mac_hid ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 xt_hl ip6t_rt nf_conntrack_ipv6 nf_defrag_ipv6 ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_recent xt_limit xt_tcpudp xt_addrtype nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack ip6table_filter ip6_tables nf_conntrack_netbios_ns nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack parport_pc iptable_filter ip_tables ppdev x_tables lp parport autofs4 hid_generic usbhid hid nvidia_drm(POE) nvidia_modeset(POE) nvidia(POE) i915_bpo psmouse e1000e intel_ips ptp i2c_algo_bit
  [  225.236420]  pps_core drm_kms_helper nvme syscopyarea sysfillrect sysimgblt fb_sys_fops ahci drm libahci video fjes
  [  225.236446] CPU: 1 PID: 13726 Comm: runc:[2:INIT] Tainted: P        W  OE   4.4.0-154-generic #181-Ubuntu
  [  225.236451] Hardware name: System manufacturer System Product Name/PRIME H270-PRO, BIOS 0323 01/04/2017
  [  225.236456]  0000000000000286 fa217f3573a84520 ffff88033ade39d0 ffffffff8140b481
  [  225.236464]  ffff88033ade3a18 ffffffff81d03018 ffff88033ade3a08 ffffffff81085432
  [  225.236477]  ffff88035cb2f000 ffff88033ade3b6c ffff88033bcb8b88 ffff88033ade3d88
  [  225.236484] Call Trace:
  [  225.236498]  [<ffffffff8140b481>] dump_stack+0x63/0x82
  [  225.236509]  [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0
  [  225.236518]  [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80
  [  225.236527]  [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0
  [  225.236536]  [<ffffffff813a696e>] aa_audit_file+0x16e/0x180
  [  225.236544]  [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0
  [  225.236554]  [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0
  [  225.236562]  [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100
  [  225.236571]  [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220
  [  225.236581]  [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70
  [  225.236589]  [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60
  [  225.236596]  [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0
  [  225.236608]  [<ffffffffc1439712>] ? ovl_getxattr+0x52/0xb0 [overlay]
  [  225.236617]  [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180
  [  225.236624]  [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0
  [  225.236633]  [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50
  [  225.236642]  [<ffffffff812229d5>] prepare_binprm+0x85/0x190
  [  225.236651]  [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770
  [  225.236661]  [<ffffffff8122460a>] SyS_execve+0x3a/0x50
  [  225.236671]  [<ffffffff81863f15>] stub_execve+0x5/0x5
  [  225.236678]  [<ffffffff81863b9b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
  [  225.236684] ---[ end trace 6b2beaa85ae31c29 ]---

  
  This is caused when the change_onexec api is used and permitted by the profile but the task has the NO_NEW_PRIVS flag set causing the domain transition specified in the change_onexec request to fail.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838627/+subscriptions


Follow ups