kernel-packages team mailing list archive

Thread
Date

[Bug 1496430] Re: Docker-1.8.2 can't create container, due to apparmor denying 'disconnected path'

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1496430@xxxxxxxxxxxxxxxxxx>
Date: Mon, 19 Oct 2015 16:06:43 -0000
Reply-to: Bug 1496430 <1496430@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package linux - 3.2.0-92.130

---------------
linux (3.2.0-92.130) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1500854

  [ dan.streetman@xxxxxxxxxxxxx ]

  * [Config] HOTPLUG_PCI_ACPI=y
    - LP: #1479031

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: fix mount not handling disconnected paths
    - LP: #1496430

  [ Upstream Kernel Changes ]

  * RDS: verify the underlying transport exists before creating a
    connection
    - LP: #1496232
    - CVE-2015-6937
  * virtio-net: drop NETIF_F_FRAGLIST
    - LP: #1484793
    - CVE-2015-5156

 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>  Mon, 05 Oct 2015 13:50:43 -0700

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1496430

Title:
  Docker-1.8.2 can't create container, due to apparmor denying
  'disconnected path'

Status in AppArmor:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Released
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Committed
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-lts-utopic source package in Wily:
  Invalid

Bug description:
  I'm trying to get docker-1.8.2-rc1 to work on snappy, while doing so I
  got this apparmor denial:

  Sep 10 09:12:35 localhost.localdomain audit[1320]: AVC
  apparmor="DENIED" operation="mount" info="Failed name lookup -
  disconnected path" error=-13 profile="docker_docker-
  daemon_IAUSSaDNVTJR" name="/run/docker/netns/6901f2b6dd4c/" pid=1320
  comm="exe" srcname="" flags="rw, bind"

  and trying to chase it I got:
  http://paste.ubuntu.com/12341612/

  so docker is trying to issue this mount: 
  syscall.Mount("/proc/self/ns/net", /var/run/docker/netns/5b9b1ba4437b, "bind", 4096 (syscall.MS_BIND), "")

  from https://golang.org/pkg/syscall/#Mount
  func Mount(source string, target string, fstype string, flags uintptr, data string) (err error)

  which is denied as if there wasn't a source?

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1496430/+subscriptions