← Back to team overview

kernel-packages team mailing list archive

[Bug 1496430] Re: Docker-1.8.2 can't create container, due to apparmor denying 'disconnected path'

 

This bug was fixed in the package linux - 4.2.0-15.18

---------------
linux (4.2.0-15.18) wily; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1503692

  [ Andy Whitcroft ]

  * Revert "SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()"
    Was incorrectly backported.

  [ Ben Hutchings ]

  * SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
    - CVE-2015-7312

  [ Tim Gardner ]

  * [Debian] config-check and prepare using ${DEBIAN}/config/annotations
    Makes the LTS update script work better.

linux (4.2.0-15.17) wily; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1503016
  * rebase to v4.2.3

  [ Andrew Donnellan ]

  * SAUCE: cxl: fix leak of IRQ names in cxl_free_afu_irqs()
  * SAUCE: cxl: fix leak of ctx->irq_bitmap when releasing context via
    kernel API
  * SAUCE: cxl: fix leak of ctx->mapping when releasing kernel API contexts

  [ Ben Hutchings ]

  * SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
    - CVE-2015-7312

  [ Dan Carpenter ]

  * SAUCE: (noup) cxlflash: a couple off by one bugs
    - LP: #1499849

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: fix mount not handling disconnected paths
    - LP: #1496430

  [ Manoj Kumar ]

  * SAUCE: (noup) cxlflash: Fix to avoid invalid port_sel value
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Replace magic numbers with literals
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix read capacity timeout
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to double the delay each time
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to escalate to LINK_RESET on login timeout
    - LP: #1499849

  [ Matthew R. Ochs ]

  * SAUCE: (noup) cxlflash: Fix potential oops following LUN removal
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix data corruption when vLUN used over
    multiple cards
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to avoid sizeof(bool)
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix context encode mask width
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to avoid CXL services during EEH
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Correct naming of limbo state and waitq
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Make functions static
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Refine host/device attributes
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to avoid spamming the kernel log
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to avoid stall while waiting on TMF
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix location of setting resid
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix host link up event handling
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix async interrupt bypass logic
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Remove dual port online dependency
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix AFU version access/storage and add check
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Correct usage of scsi_host_put()
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to prevent workq from accessing freed
    memory
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Correct behavior in device reset handler
    following EEH
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Remove unnecessary scsi_block_requests
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix function prolog parameters and return codes
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix MMIO and endianness errors
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to prevent EEH recovery failure
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Correct spelling, grammar, and alignment
    mistakes
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to prevent stale AFU RRQ
    - LP: #1499849
  * SAUCE: (noup) MAINTAINERS: Add cxlflash driver
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to avoid corrupting adapter fops
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Correct trace string
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to avoid potential deadlock on EEH
    - LP: #1499849
  * SAUCE: (noup) cxlflash: Fix to avoid leaving dangling interrupt
    resources
    - LP: #1499849

  [ Philippe Bergheaud ]

  * SAUCE: cxl: Workaround malformed pcie packets on some cards

  [ Tim Gardner ]

  * [Config] CONFIG_CC_STACKPROTECTOR_STRONG=y
    - LP: #1380025
  * [Config] Add MMC modules sufficient for net booting
    - LP: #1502772

  [ Upstream Kernel Changes ]

  * Initialize msg/shm IPC objects before doing ipc_addid()
  * RDS: verify the underlying transport exists before creating a
    connection
  * cxl: abort cxl_pci_enable_device_hook() if PCI channel is offline
  * cxl: Fix build failure due to -Wunused-variable behaviour change
  * cxl: Fix lockdep warning while creating afu_err_buff attribute
  * USB: whiteheat: fix potential null-deref at probe
    - LP: #1478826
    - CVE-2015-5257
  * dcache: Handle escaped paths in prepend_path
    - CVE-2015-2925
  * vfs: Test for and handle paths that are unreachable from their mnt_root
    - CVE-2015-2925
  * hv_netvsc: Add support to set MTU reservation from guest side
    - LP: #1494431
  * hv_netvsc: Add close of RNDIS filter into change mtu call
    - LP: #1494431

 -- Tim Gardner <tim.gardner@xxxxxxxxxxxxx>  Wed, 07 Oct 2015 07:28:10
-0600

** Changed in: linux (Ubuntu Wily)
       Status: Incomplete => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-2925

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5257

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7312

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1496430

Title:
  Docker-1.8.2 can't create container, due to apparmor denying
  'disconnected path'

Status in AppArmor:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-lts-utopic source package in Wily:
  Invalid

Bug description:
  I'm trying to get docker-1.8.2-rc1 to work on snappy, while doing so I
  got this apparmor denial:

  Sep 10 09:12:35 localhost.localdomain audit[1320]: AVC
  apparmor="DENIED" operation="mount" info="Failed name lookup -
  disconnected path" error=-13 profile="docker_docker-
  daemon_IAUSSaDNVTJR" name="/run/docker/netns/6901f2b6dd4c/" pid=1320
  comm="exe" srcname="" flags="rw, bind"

  and trying to chase it I got:
  http://paste.ubuntu.com/12341612/

  so docker is trying to issue this mount: 
  syscall.Mount("/proc/self/ns/net", /var/run/docker/netns/5b9b1ba4437b, "bind", 4096 (syscall.MS_BIND), "")

  from https://golang.org/pkg/syscall/#Mount
  func Mount(source string, target string, fstype string, flags uintptr, data string) (err error)

  which is denied as if there wasn't a source?

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1496430/+subscriptions