kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #108011
[Bug 1390223] Re: Apparmor related regression on access to unix sockets on a candidate 3.16 backport kernel
I went ahead and upgraded to vivid. My kerberos/ldap problems are solved
but I still get:
$ mailq
postqueue: warning: close: Permission denied
guest is trusty:
ii postfix 2.11.0-1ubuntu1
amd64 High-performance mail transport agent
host is vivid:
ii lxc 1.1.0-0ubuntu1 amd64 Linux Containers userspace tools
ii apparmor 2.9.1-0ubuntu7 amd64 User-space parser utility for AppArmor
Linux venkman 3.19.0-9-generic #9-Ubuntu SMP Wed Mar 11 17:50:03 UTC
2015 x86_64 x86_64 x86_64 GNU/Linux
As #2, I get "Permission denied" ~997/1000 tries (in a loop).
ubuntu@test:~$ for i in {1..1000}; do mailq; done 2>&1 | grep -v Permission
Mail queue is empty
Mail queue is empty
Mail queue is empty
Mail queue is empty
ubuntu@test:~$
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1390223
Title:
Apparmor related regression on access to unix sockets on a candidate
3.16 backport kernel
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Utopic:
Confirmed
Status in linux source package in Vivid:
Fix Released
Bug description:
I recently noticed a bunch of containers failing in a rather odd way
when running postfix.
The most visible example is when running mailq on an empty queue.
Without apparmor (unconfined container) I see that the queue is empty,
with apparmor, I get Permission denied.
That's all running as root so the permission denied looks a tiny bit
odd. Also, running the 3.13 kernel, I don't get any of that weirdness.
My guess is that it has to do with the work that went into the 3.16
kernel for socket mediation. In theory only systems that run the
utopic apparmor (which I DO NOT) should be seeing that kind of
behavior, but it looks like some code path isn't checking things
properly :)
== strace in unconfined container ==
chdir("/var/spool/postfix") = 0
rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART, 0x7f8963a62c30}, {SIG_IGN, [], 0}, 8) = 0
getuid() = 0
socket(PF_LOCAL, SOCK_STREAM, 0) = 4
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_LOCAL, sun_path="public/showq"}, 110) = 0
poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=POLLIN|POLLHUP}])
read(4, "Mail queue is empty\n", 4096) = 20
poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=POLLIN|POLLHUP}])
read(4, "", 4096) = 0
write(1, "Mail queue is empty\n", 20Mail queue is empty
) = 20
close(4) = 0
exit_group(0) = ?
+++ exited with 0 +++
== strace in confined container ==
chdir("/var/spool/postfix") = 0
rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART, 0x7ffe62de4c30}, {SIG_IGN, [], 0}, 8) = 0
getuid() = 0
socket(PF_LOCAL, SOCK_STREAM, 0) = 4
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_LOCAL, sun_path="public/showq"}, 110) = 0
poll([{fd=4, events=POLLIN}], 1, 3600000) = 1 ([{fd=4, revents=POLLIN|POLLHUP}])
read(4, 0x7ffe65b35c00, 4096) = -1 EACCES (Permission denied)
close(4) = 0
write(2, "postqueue: warning: close: Permi"..., 45postqueue: warning: close: Permission denied
) = 45
sendto(3, "<20>Nov 6 20:40:42 postfix/post"..., 78, MSG_NOSIGNAL, NULL, 0) = 78
exit_group(0) = ?
Kernel is a slightly outdated version of the kernel from the kernel team PPA:
Linux shell01 3.16.0-23-generic #31-Ubuntu SMP Thu Oct 23 20:13:35 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
If you think the latest build will improve this, I can test it, but
seeing how this is a production server, I can't just flip kernels
every 5 minutes (I'm running 3.16 to avoid a nasty btrfs bug on 3.13).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1390223/+subscriptions
References
